What should "SBOM Author" name be if SBOM created by a tool?

[rnjudge]

When I run this tool on an SPDX document created by Tern, I get a False status for SBOM author name provided field. My question is, what should this field be when a document is created by a tool? According to the spec, https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields, Author maps to the Creator field. In this case, the creator is a tool and the SBOM includes this information:

Creator: Tool: tern-2dd359916884b250e8b66d94c175506e387df07e

What is the tool looking for?

[rnjudge]

photon.spdx.txt

[rnjudge]

I should also note that using the -v option does not specify additional information about missing author (despite the other False status fields providing information about whats missing):

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | False
All component identifiers provided?            | True
All component suppliers provided?              | False
SBOM author name provided?                     | False
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | True

Components missing a version: 5e94941e3961b26645fbfdc71a59d439537b98417546bfdab35fa074f121eb15

Components missing an supplier: photon,5e94941e3961b26645fbfdc71a59d439537b98417546bfdab35fa074f121eb15,bash,bzip2-libs,ca-certificates,ca-certificates-pki,curl,curl-libs,e2fsprogs-libs,elfutils-libelf,expat,expat-libs,filesystem,glibc,krb5,libcap,libdb,libgcc,libmetalink,libsolv,libssh2,lua,ncurses-libs,nspr,nss-libs,openssl,photon-release,photon-repos,popt,readline,rpm-libs,sqlite-libs,tdnf,tdnf-cli-libs,toybox,xz-libs,zlib,zstd-libs

[jspeed-meyers]

@rnjudge, thank you for investigating these bugs closely!

What is the tool looking for?

The tool CURRENTLY checks that the author is a person or organization.

ntia-conformance-checker/ntia_conformance_checker/sbom_checker.py

Lines 50 to 58 in caa2015

	def check_doc_author(self):
	"""Check document author is person or organization."""
	for i, _ in enumerate(self.doc.creation_info.creators):
	if isinstance(
	self.doc.creation_info.creators[i],
	(spdx.creationinfo.Person, spdx.creationinfo.Organization),
	):
	return True
	return False

My question is, what should this field be when a document is created by a tool? According to the spec, https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields, Author maps to the Creator field.

It seems that, IIUC, ntia-conformance-checker should actually check if there is any entry in the Creator field, including a tool.

I'll put in a PR to fix this.

[jspeed-meyers]

I should also note that using the -v option does not specify additional information about missing author (despite the other False status fields providing information about whats missing):

That's a good point. There should be extra info here. I'll open a separate issue for that.

[rnjudge]

Thanks for such a quick fix/response @jspeed-meyers!