Skip to content

Implement component.manufacturer #63

New issue
New issue
Open
Feature
Open
Implement component.manufacturer#63
Feature
Labels
blocked
@maennchen

Description

@maennchen
maennchen
opened on Dec 4, 2025

Definition: The organization that created the component (common for automated builds).

Challenge: The config[:package][:organization] field exists but:

  • Rarely used in public packages
  • Indicates ownership/hosting, not necessarily creation
  • Semantically ambiguous

From Hex.pm docs:

package.organization - The organization the package belongs to. The package will be published to the organization repository.

Alternative: Infer from GitHub organization for some cases:

case component[:links]["GitHub"] do
  "https://github.com/dashbitco/" <> _ -> 
    bom_struct(:OrganizationalEntity, version, name: "Dashbit")
  _ -> nil
end

Important

Question: ❓ Should we:

  1. Only use explicit organization field (most accurate)
  2. Infer from GitHub URL (more coverage but less accurate)
  3. Leave it out entirely (least ambiguous)

Metadata

Metadata

Assignees

No one assigned

    Labels

    blocked

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions