Evaluate & Adhere (or have good reasons why not) to NTIA minimal elements

[justinabrahms]

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf

minimum elements

Data	Field Description
Supplier Name	The name of an entity that creates, defines, and identifies components.
Component Name	Designation assigned to a unit of software defined by the original supplier.
Version of the Component	Identifier used by the supplier to specify a change in software from a previously identified version.
Other Unique Identifiers	Other identifiers that are used to identify a component, orserve as a look-up key for relevant databases.
Dependency Relationship	Characterizing the relationship that an upstream componentX is included in software Y.
Author of SBOM Data	The name of the entity that creates the SBOM data for this component.
Timestamp	Record of the date and time of the SBOM data assembly

[justinabrahms]

SPDX: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields

Also, section 2.3 of https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf

Can't seem to find anything authoritative on NTIA+CycloneDX, but we should be able to map SPDX fields to the CDX format.

[justinabrahms]

I'm not entirely clear if requiring package supplier makes sense.

[jspeed-meyers]

@justinabrahms -- I think you're right to be unsure of whether to use package supplier in a NTIA minimum elements-related check. While it is technically part of the minimum elements, it seems, in my experience, that very few SBOMs actually include it, partially because the definition of a "supplier" for many open source software components is ambiguous.