You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In spdx/spdx-gradle-plugin#38 we're considering whether, if pom.organization is unspecified, perhaps pom.developer.organization should be a possible fallback for sbom.organization.
I'm not convinced: why would the first developer data be promoted like this?
even if we code that algorithm only when there is a unique developer, but even there, the heuristics sometimes gives the result that the component provider would expect, sometimes not, then if we implement, I expect the next issue reported to "fix" the heuristics
SBOM seems to be the first time people look at the value they put (or not) for years in their pom.xml : heuristics to try to guess instead of having the owner take his decision is not something I'm really convinced about
In spdx/spdx-gradle-plugin#38 we're considering whether, if
pom.organization
is unspecified, perhapspom.developer.organization
should be a possible fallback forsbom.organization
.I think an example pom is:
https://repo1.maven.org/maven2/org/jetbrains/annotations/13.0/annotations-13.0.pom
which contains the text:
which I think was causing this text to appear in the sbom:
“supplier" : "Person: JetBrains Team"
whereas maybe it would be better to output this text instead:
“supplier" : "Organization: JetBrains"
Perhaps it might make sense for the spdx-maven-plugin to do something similar to what's being considered for the spdx-gradle-plugin here too.
The text was updated successfully, but these errors were encountered: