fix: use organization for package supplier when reading Java vendor f…

…ields (#3093) Signed-off-by: Harippriya Sivapatham <[email protected]>
anchore · Aug 3, 2024 · cc15edc · cc15edc
1 parent 623532e
commit cc15edc
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/syft/format/internal/spdxutil/helpers/originator_supplier.go b/syft/format/internal/spdxutil/helpers/originator_supplier.go
@@ -56,6 +56,10 @@ func Originator(p pkg.Package) (typ string, author string) { // nolint: funlen
 			if author == "" {
 				author = metadata.Manifest.Main.MustGet("Implementation-Vendor")
 			}
+			// Vendor is specified, hence set 'Organization' as the PackageSupplier
+			if author != "" {
+				typ = orgType
+			}
 		}
 
 	case pkg.LinuxKernelModule:

diff --git a/syft/format/internal/spdxutil/helpers/originator_supplier_test.go b/syft/format/internal/spdxutil/helpers/originator_supplier_test.go
@@ -138,8 +138,8 @@ func Test_OriginatorSupplier(t *testing.T) {
 					},
 				},
 			},
-			originator: "Person: auth-spec",
-			supplier:   "Person: auth-spec",
+			originator: "Organization: auth-spec",
+			supplier:   "Organization: auth-spec",
 		},
 		{
 			name: "from java -- fallback to impl vendor in main manifest section",
@@ -155,8 +155,8 @@ func Test_OriginatorSupplier(t *testing.T) {
 					},
 				},
 			},
-			originator: "Person: auth-impl",
-			supplier:   "Person: auth-impl",
+			originator: "Organization: auth-impl",
+			supplier:   "Organization: auth-impl",
 		},
 		{
 			name: "from java -- non-main manifest sections ignored",