Merge pull request #51 from jasinner/spdx-supplier

Add SPDX Red Hat Supplier to examples

Author: jasinner

docs/sbom.md

@@ -157,7 +157,8 @@ The following snippet shows a minimal SBOM document:
       "creationInfo": {
         "created": "2006-08-14T02:34:56Z",// (4)!
         "creators": [
-          "Tool: example SPDX document only"
+          "Tool: example SPDX document only",
+          "Organization: Red Hat"// (5)!
         ]
       },
       "name": "ubi9-micro-container-9.4-6.1716471860_amd64",
@@ -177,17 +178,18 @@ The following snippet shows a minimal SBOM document:
 
     4. UTC timestamps must use the `YYYY-MM-DDThh:mm:ssZ` format.
 
+    5. creationInfo / creators includes the "Organization: Red Hat" value.
+
 A more detailed breakdown of some of the fields:
 
 `creationInfo`
 :   This field must contain at least the
-    [`created`](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field) and
-    [`creators`](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#69-created-field)
+    [`created`](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#69-created-field) and
+    [`creators`](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field)
     fields. The timestamp in the `created` field must be set to an ISO 8601-formatted date and time string using
     the UTC timezone. The `creators` field must identify the tool and its version that was used to generate the SBOM
     file (for example, `Tool: SBOMer 1.2.3` or even `Tool: pkg:github/project-ncl/[email protected]`).
-    Optionally, the organization responsible for generating the SBOM can be included in a separate string
-    (for example, `Organization: Red Hat Product Security ([email protected])`).
+    The value `Organization: Red Hat` included in a separate string. This is required by Red Hat Trusted Profiler Analyser 2 in order to trigger special handling.
 
 [`name`](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#64-document-name-field)
 :   This is an arbitrary value that should describe the main artifact described by the SBOM document. This can be a

sbom/examples/container_image/release/from_catalog.py

@@ -103,9 +103,7 @@ def create_sbom(image_id, root_package, packages, rel_type, other_pkgs=None, oth
         "SPDXID": "SPDXRef-DOCUMENT",
         "creationInfo": {
             "created": "2006-08-14T02:34:56Z",
-            "creators": [
-                "Tool: example SPDX document only",
-            ],
+            "creators": ["Tool: example SPDX document only", "Organization: Red Hat"],
         },
         "name": image_id,
         "documentNamespace": f"https://www.redhat.com/{image_id}.spdx.json",

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25",

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25_amd64",

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25_arm64",

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25_ppc64le",

sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860",

sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_amd64",

sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_arm64",

sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json

@@ -5,7 +5,8 @@
   "creationInfo": {
     "created": "2006-08-14T02:34:56Z",
     "creators": [
-      "Tool: example SPDX document only"
+      "Tool: example SPDX document only",
+      "Organization: Red Hat"
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_ppc64le",