sbom: populate supplier for operating system package (#2101)

imjasonh · web-flow · commit a17bf700a4e4 · 2025-07-26T16:48:33.000-04:00
* sbom: populate supplier for operating system package

Signed-off-by: Jason Hall &lt;jason@chainguard.dev&gt;

* update goldens

Signed-off-by: Jason Hall &lt;jason@chainguard.dev&gt;

* update goldens better

Signed-off-by: Jason Hall &lt;jason@chainguard.dev&gt;

---------

Signed-off-by: Jason Hall &lt;jason@chainguard.dev&gt;
diff --git a/pkg/build/testdata/goldenfiles/sboms/7zip-two-fetches-2301-r3.spdx.json b/pkg/build/testdata/goldenfiles/sboms/7zip-two-fetches-2301-r3.spdx.json
@@ -25,6 +25,8 @@
       "licenseDeclared": "NOASSERTION",
       "description": "Operating System",
       "downloadLocation": "NOASSERTION",
+      "originator": "Organization: Wolfi",
+      "supplier": "Organization: Wolfi",
       "primaryPackagePurpose": "OPERATING-SYSTEM"
     },
     {
diff --git a/pkg/build/testdata/goldenfiles/sboms/crane-0.20.2-r1.spdx.json b/pkg/build/testdata/goldenfiles/sboms/crane-0.20.2-r1.spdx.json
@@ -25,6 +25,8 @@
       "licenseDeclared": "NOASSERTION",
       "description": "Operating System",
       "downloadLocation": "NOASSERTION",
+      "originator": "Organization: Wolfi",
+      "supplier": "Organization: Wolfi",
       "primaryPackagePurpose": "OPERATING-SYSTEM"
     },
     {
diff --git a/pkg/sbom/document.go b/pkg/sbom/document.go
@@ -114,6 +114,8 @@ func (d Document) createOperatingSystemPackage(os *apko_build.ReleaseData) spdx.
 		LicenseDeclared:  spdx.NOASSERTION,
 		DownloadLocation: spdx.NOASSERTION,
 		PrimaryPurpose:   "OPERATING-SYSTEM",
+		Originator:       d.Describes.getSupplier(),
+		Supplier:         d.Describes.getSupplier(),
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@`
`25`	`25`	`"licenseDeclared": "NOASSERTION",`
`26`	`26`	`"description": "Operating System",`
`27`	`27`	`"downloadLocation": "NOASSERTION",`
	`28`	`+ "originator": "Organization: Wolfi",`
	`29`	`+ "supplier": "Organization: Wolfi",`
`28`	`30`	`"primaryPackagePurpose": "OPERATING-SYSTEM"`
`29`	`31`	`},`
`30`	`32`	`{`
Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,8 @@ func (d Document) createOperatingSystemPackage(os *apko_build.ReleaseData) spdx.`
`114`	`114`	`LicenseDeclared: spdx.NOASSERTION,`
`115`	`115`	`DownloadLocation: spdx.NOASSERTION,`
`116`	`116`	`PrimaryPurpose: "OPERATING-SYSTEM",`
	`117`	`+ Originator: d.Describes.getSupplier(),`
	`118`	`+ Supplier: d.Describes.getSupplier(),`
`117`	`119`	`}`
`118`	`120`	`}`
`119`	`121`