No Author information in SBOM

[CameronGo]

The SBOM generated does not add Author information which is one of the required baseline attributes described in the NTIA guidelines. I've seen other SBOM tools handle this by accepting a command line parameter to describe the Author organization which is then included in the resulting SBOM.

Is there some way of doing the same using cyclonedx-gomod?

[nscuro]

Not as of now, but we can easily add this capability. Is there any preferred way of providing this information, considering that potentially multiple authors would need to be added?

[CameronGo]

For our use case, we are only really interested in specifying the Organization. In the Microsoft SBOM tool, which outputs SPDX, they use -ps to specify the , which then adds the following block to the SPDX SBOM:

    "creators": [
      "Organization: <org name>",
      "Tool: Microsoft.SBOMTool-1.1.7"
    ]

Something similar would be acceptable here IMO to capture at least that much, which I think is what most authors will need to provide.