Skip to content

feat(spdx): extract creator tool and organization from SPDX 2.2 SBOMs #1783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
grvillic merged 3 commits into from
Apr 17, 2026
Merged

feat(spdx): extract creator tool and organization from SPDX 2.2 SBOMs #1783

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b1f94aa
feat(spdx): extract creator tool and organization from SPDX 2.2 SBOMs
alisonlomaka Apr 14, 2026
cf11534
fix: address PR review feedback for SPDX creator extraction
alisonlomaka Apr 16, 2026
93a2320
Merge branch 'main' into alisonlomaka/spdx-tool-org
alisonlomaka Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/detectors/spdx.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ The detector:
- Document name
- SPDX version
- Root element ID from `documentDescribes` (defaults to `SPDXRef-Document` if not specified)
- Creator tool from `creationInfo.creators` (e.g., `Tool: microsoft/sbom-tool-2.2.0`)
- Creator organization from `creationInfo.creators` (e.g., `Organization: Microsoft`)
- Creates an `SpdxComponent` to represent the SPDX document

The detector does not parse or register individual packages listed within the SPDX document; it only registers the SPDX document itself as a component.
Expand Down
10 changes: 10 additions & 0 deletions src/Microsoft.ComponentDetection.Contracts/TypedComponent/SpdxComponent.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,5 +42,15 @@ public SpdxComponent(string spdxVersion, Uri documentNamespace, string name, str
[JsonPropertyName("path")]
public string Path { get; set; }

#nullable enable
[JsonPropertyName("creatorTool")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? CreatorTool { get; set; }

[JsonPropertyName("creatorOrganization")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? CreatorOrganization { get; set; }
#nullable disable

protected override string ComputeBaseId() => $"{this.Name}-{this.SpdxVersion}-{this.Checksum}";
}
36 changes: 36 additions & 0 deletions src/Microsoft.ComponentDetection.Detectors/spdx/Spdx22ComponentDetector.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,42 @@ private SpdxComponent ConvertJsonElementToSbomComponent(ProcessRequest processRe
var path = processRequest.ComponentStream.Location;
var component = new SpdxComponent(spdxVersion, new Uri(sbomNamespace), name, fileHash, rootElementId, path);

if (document.TryGetProperty("creationInfo", out var creationInfoElement)
&& creationInfoElement.TryGetProperty("creators", out var creatorsElement)
&& creatorsElement.ValueKind == JsonValueKind.Array)
{
foreach (var creator in creatorsElement.EnumerateArray())
{
if (creator.ValueKind != JsonValueKind.String)
{
continue;
}
Comment thread
grvillic marked this conversation as resolved.

var creatorString = creator.GetString();
if (creatorString == null)
{
continue;
Comment thread
alisonlomaka marked this conversation as resolved.
}

if (component.CreatorTool == null && creatorString.StartsWith("Tool: ", StringComparison.Ordinal))
{
var tool = creatorString["Tool: ".Length..].Trim();
if (!string.IsNullOrWhiteSpace(tool))
{
component.CreatorTool = tool;
}
}
else if (component.CreatorOrganization == null && creatorString.StartsWith("Organization: ", StringComparison.Ordinal))
{
var org = creatorString["Organization: ".Length..].Trim();
if (!string.IsNullOrWhiteSpace(org))
{
component.CreatorOrganization = org;
}
}
Comment thread
alisonlomaka marked this conversation as resolved.
}
}

return component;
}

Expand Down
212 changes: 212 additions & 0 deletions test/Microsoft.ComponentDetection.Detectors.Tests/SPDX22ComponentDetectorTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,9 @@ public async Task TestSbomDetector_SimpleSbomAsync()
sbomComponent.SpdxVersion.Should().Be("SPDX-2.2");
sbomComponent.Checksum.Should().Be(checksum);
sbomComponent.Path.Should().Be(Path.Combine(Path.GetTempPath(), spdxFileName));

sbomComponent.CreatorTool.Should().Be("Microsoft.SBOMTool-1.0.0");
sbomComponent.CreatorOrganization.Should().Be("Microsoft");
}

[TestMethod]
Expand Down Expand Up @@ -160,4 +163,213 @@ public async Task TestSbomDetector_InvalidFileAsync()
var components = detectedComponents.ToList();
components.Should().BeEmpty();
}

[TestMethod]
public async Task TestSbomDetector_ExtractsCreatorToolAndOrganizationAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""creationInfo"": {
""created"": ""2024-01-01T00:00:00Z"",
""creators"": [
""Tool: microsoft/sbom-tool-2.2.0"",
""Organization: Microsoft""
]
},
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().Be("microsoft/sbom-tool-2.2.0");
sbomComponent.CreatorOrganization.Should().Be("Microsoft");
}

[TestMethod]
public async Task TestSbomDetector_MissingCreationInfoReturnsNullAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().BeNull();
sbomComponent.CreatorOrganization.Should().BeNull();
}

[TestMethod]
Comment thread
alisonlomaka marked this conversation as resolved.
public async Task TestSbomDetector_WhitespaceOnlyCreatorsReturnNullAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""creationInfo"": {
""created"": ""2024-01-01T00:00:00Z"",
""creators"": [
""Tool: "",
""Organization: ""
]
},
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().BeNull();
sbomComponent.CreatorOrganization.Should().BeNull();
}

[TestMethod]
public async Task TestSbomDetector_MultipleCreatorsPicksFirstToolAndOrgAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""creationInfo"": {
""created"": ""2024-01-01T00:00:00Z"",
""creators"": [
""Tool: first-tool-1.0"",
""Tool: second-tool-2.0"",
""Organization: FirstOrg"",
""Organization: SecondOrg""
]
},
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().Be("first-tool-1.0");
sbomComponent.CreatorOrganization.Should().Be("FirstOrg");
}

[TestMethod]
public async Task TestSbomDetector_OnlyToolNoOrganizationAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""creationInfo"": {
""created"": ""2024-01-01T00:00:00Z"",
""creators"": [
""Tool: my-tool-3.0""
]
},
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().Be("my-tool-3.0");
sbomComponent.CreatorOrganization.Should().BeNull();
}

[TestMethod]
public async Task TestSbomDetector_OnlyOrganizationNoToolAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""creationInfo"": {
""created"": ""2024-01-01T00:00:00Z"",
""creators"": [
""Organization: Contoso""
]
},
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().BeNull();
sbomComponent.CreatorOrganization.Should().Be("Contoso");
}

[TestMethod]
public async Task TestSbomDetector_CreatorsWithNoToolOrOrgPrefixAsync()
{
var spdxFile = /*lang=json,strict*/ @"{
""spdxVersion"": ""SPDX-2.2"",
""SPDXID"": ""SPDXRef-DOCUMENT"",
""name"": ""TestDoc"",
""documentNamespace"": ""https://sbom.microsoft/test/1.0.0/abc"",
""creationInfo"": {
""created"": ""2024-01-01T00:00:00Z"",
""creators"": [
""Person: John Doe (john@example.com)""
]
},
""documentDescribes"": [""SPDXRef-RootPackage""],
""packages"": [],
""relationships"": []
}";

var (scanResult, componentRecorder) = await this.detectorTestUtility
.WithFile("manifest.spdx.json", spdxFile)
.ExecuteDetectorAsync();

scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);

var sbomComponent = (SpdxComponent)componentRecorder.GetDetectedComponents().Single().Component;
sbomComponent.CreatorTool.Should().BeNull();
sbomComponent.CreatorOrganization.Should().BeNull();
}
}
Loading