Set additional properties when generating sbom for nugets

[thompson-tomo]

When generating a SBOM the below properties should be set to provide a richer experience & better information.

• Group the first segment of the package name
• publisher is the owner as specified in Nuget (nuspecmodel), if empty use author
• releasenotes as specified in Nuget (nuspecmodel)
• properties with a property for the language of the package
• properties with a property for the tags of the package
• supplier the url/name of the repository used to source package. This would need to come from package source mapping. will be handled via #845

[mtsfoni]

Group the first segment of the package name

This bases on the assumption that packages are named by a certain convention/best practice that is not enforced. I don't think that this applies to all packages.

publisher is the owner as specified in Nuget, if empty use author

Sounds not unreasonable. Interestingly though, on the NuGet website you usually see an owner e.g. here, but in the .nuspec-file I didn't see a filled owner node yet. I would really love using the one from the .nuspec-file but I am little hesitant having to parse the NuGet website for that information. Which did you mean with "as specified in Nuget"?

[thompson-tomo]

@mtsfoni i have just pushed a draft PR #846 which shows the publisher being set.

In relation to the Group you are correct it is not enforced but recently nuget has started using verified prefixes to help improve security by providing visual indicator that packages are coming from a reputable source and who they claim to be.

[github-actions[bot]]

This issue is stale because it has been open for 3 months with no activity.