sbom icon indicating copy to clipboard operation
sbom copied to clipboard
verified publisher icon voltone

Implement `component.publisher`

Open maennchen opened this issue 2 months ago • 0 comments

Definition: The organization that published/released the package.

Proposed logic:

defp determine_publisher(component) do
  case component.package_url.type do
    "hex" -> "Hex.pm"
    "github" -> "GitHub"
    "otp" -> "Erlang/OTP"
    _ -> nil
  end
end

Question: ❓ Should we use the package type as publisher, or should we infer from repository URL for private Hex repos?

Alternative approach:

# For private Hex repos
case component.package_url.qualifiers["repository_url"] do
  "https://repo.hex.pm" -> "Hex.pm"
  "https://hex.mycompany.com" -> "MyCompany Private Hex"
  _ -> "Hex.pm"
end

Question: ❓ Should we query the Hex API to get the release publisher?

maennchen avatar Dec 04 '25 13:12 maennchen