[discussion]: how to add author type of "Organization"

[viveksahu26]

In SPDX, author could be of 3 types:

• Person
• Organization
• Tool

So, we have the right to add 2 types of author, "person" and "Organization.
sbomasm do supports to add the author type Person and Tool:

sbomasm edit --subject Document  --append \
    --author 'VulnCon SBOM Generation Workshop' \
    --author 'Interlynk (https://github.com/interlynk-io.io/)' \
    --tool "foo (v1.0.1)" \
     sbom-with-two-component.spdx.json  > update-author.spdx.json

it adds like this:

"creationInfo": {
  "licenseListVersion": "3.25",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-1.26.1",
   "Person: VulnCon SBOM Generation Workshop ()",
   "Person: Interlynk (https://github.com/interlynk-io.io/)",
   "Tool: foo-v1.0.1",
   "Tool: sbomasm-v1.0.4"
  ],
  "created": "2025-06-06T05:52:18Z",
  "comment": "lifecycle: pre-build"
 },

So, it adds both author as Person as well as added Tool.

Is there a way to add author as a Organization ? Like if you see interlynk represents an organization more than a person.

[viveksahu26]

For Organization to be as author, we can refer this by supplier field. Supplier mostly represents an Organization. As per the definition by CycloneDX of supplier is: "The organization that supplied the component that the BOM describes. "

[viveksahu26]

@riteshnoronha what's your thought on this ?