Open merlin-uk opened 3 days ago
The Supplier is needed to make SBOM valid.
This is not required to make a valid SBOM. It is required for NTIA minimum elements.
The challenge we have here is that we simply don't have supplier information present in the scan target for everything. However, we are including supplier, in many cases if we found this information.
Is there something else you are looking for? Could you provide more information: what package ecosystem, what output format, sample images you expect to have suppliers, etc.?
What would you like to be added: Please add "Supplier" to each component. Why is this needed: The Supplier is needed to make SBOM valid. Additional context: