You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
That said, I'm proposing the following logic to deduce the supplier (try in order, first match wins):
For package managers that support it, use the organization name or similar (see e.g. Maven).
Use the namespace of a package if it contains "com" or "org" and is not a recognized VcsHost.
Use the author / developer if there's only a single one; prefer its organization (if supported by the package manager, see e.g. Maven) over its name.
Implementing this probably requires to introduce a dedicated "organization" field to the Package model; currently, e.g. the Maven-provided organization is simply added to the set of authors.
The text was updated successfully, but these errors were encountered:
Originating from this comment (and a later update), the NTIA minimum elements calls out for supplier information, and both CycloneDX and SPDX provide according fields. However, there is no strict definition of that the "supplier" of an Open Source package should be. In particular, the "supplier" should not be the hosting website of a package.
That said, I'm proposing the following logic to deduce the supplier (try in order, first match wins):
Implementing this probably requires to introduce a dedicated "organization" field to the Package model; currently, e.g. the Maven-provided organization is simply added to the set of authors.
The text was updated successfully, but these errors were encountered: