feat(spdx): Allow to set creator person and organization

This is to satisfy German BSI requirements for SBOMs, see [1]. [1]: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
oss-review-toolkit · Aug 19, 2024 · dcc41df · dcc41df
1 parent aaf9012
commit dcc41df
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentModelMapper.kt b/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentModelMapper.kt
@@ -47,6 +47,8 @@ internal object SpdxDocumentModelMapper {
         val documentName: String,
         val documentComment: String,
         val creationInfoComment: String,
+        val creationInfoPerson: String,
+        val creationInfoOrganization: String,
         val fileInformationEnabled: Boolean
     )
 
@@ -158,12 +160,18 @@ internal object SpdxDocumentModelMapper {
             }
         }
 
+        val creators = listOfNotNull(
+            params.creationInfoPerson.takeUnless { it.isEmpty() }?.let { "${SpdxConstants.PERSON} $it" },
+            params.creationInfoOrganization.takeUnless { it.isEmpty() }?.let { "${SpdxConstants.ORGANIZATION} $it" },
+            "${SpdxConstants.TOOL} $ORT_NAME-${Environment.ORT_VERSION}"
+        )
+
         return SpdxDocument(
             comment = params.documentComment,
             creationInfo = SpdxCreationInfo(
                 comment = params.creationInfoComment,
                 created = Instant.now().truncatedTo(ChronoUnit.SECONDS),
-                creators = listOf("${SpdxConstants.TOOL} $ORT_NAME-${Environment.ORT_VERSION}"),
+                creators = creators,
                 licenseListVersion = SpdxLicense.LICENSE_LIST_VERSION.substringBefore("-")
             ),
             documentNamespace = "spdx://${UUID.randomUUID()}",

diff --git a/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentReporter.kt b/plugins/reporters/spdx/src/main/kotlin/SpdxDocumentReporter.kt
@@ -42,6 +42,8 @@ import org.ossreviewtoolkit.utils.spdx.model.SpdxDocument
  *
  * This reporter supports the following options:
  * - *creationInfo.comment*: Add the corresponding value as metadata to the [SpdxDocument.creationInfo].
+ * - *creationInfo.person*: Add the corresponding value as metadata to the [SpdxDocument.creationInfo].
+ * - *creationInfo.organization*: Add the corresponding value as metadata to the [SpdxDocument.creationInfo].
  * - *document.comment*: Add the corresponding value as metadata to the [SpdxDocument].
  * - *document.name*: The name of the generated [SpdxDocument], defaults to "Unnamed document".
  * - *output.file.formats*: The list of [FileFormat]s to generate, defaults to [FileFormat.YAML].
@@ -53,6 +55,8 @@ class SpdxDocumentReporter : Reporter {
         const val REPORT_BASE_FILENAME = "bom.spdx"
 
         const val OPTION_CREATION_INFO_COMMENT = "creationInfo.comment"
+        const val OPTION_CREATION_INFO_PERSON = "creationInfo.person"
+        const val OPTION_CREATION_INFO_ORGANIZATION = "creationInfo.organization"
         const val OPTION_DOCUMENT_COMMENT = "document.comment"
         const val OPTION_DOCUMENT_NAME = "document.name"
         const val OPTION_OUTPUT_FILE_FORMATS = "output.file.formats"
@@ -77,6 +81,8 @@ class SpdxDocumentReporter : Reporter {
             documentName = config.options.getOrDefault(OPTION_DOCUMENT_NAME, DOCUMENT_NAME_DEFAULT_VALUE),
             documentComment = config.options.getOrDefault(OPTION_DOCUMENT_COMMENT, ""),
             creationInfoComment = config.options.getOrDefault(OPTION_CREATION_INFO_COMMENT, ""),
+            creationInfoPerson = config.options.getOrDefault(OPTION_CREATION_INFO_PERSON, ""),
+            creationInfoOrganization = config.options.getOrDefault(OPTION_CREATION_INFO_ORGANIZATION, ""),
             fileInformationEnabled = config.options.getOrDefault(OPTION_FILE_INFORMATION_ENABLED, "true").toBoolean()
         )