Vendor/Supplier mapping for Component/Release/Packages

[arunazhakesan]

The current implementation of vendor/supplier field in SW360 needs to be reconsidered. In the current model its is possibile for the user to create releases from different vendors/suppliers under the same component. This results in the component having multiple vendor/supplier listed at component level. This is not a right approach as this would create confusion among users and technical challenges while implementing automated SBOM import.

Proposal

The vendor /supplier should be unique to each component, even if the names are same. And the vendor /supplier information should be inherited by releases &packages from the top level component. This is very important since the vendor /supplier is usually part of the imported SBOM.

Lets discuss further on this and proceed with the feature.

[afsahsyeda]

@arunazhakesan What can we do in cases where the same package is used by 2 components with the same name, but different vendor/supplier as in case of forked repos? The current SW360 Package portlet does not allow for a package to have more than one source/VCS.