From 96c2c492cb860871368c819a89d08d7df0504528 Mon Sep 17 00:00:00 2001
From: Michael Schroeder <mls@suse.de>
Date: Thu, 19 Sep 2024 15:14:26 +0200
Subject: [PATCH] generate_sbom: do not clobber spdx supplier

Broken by accident in commit 2e7e791d1e4cd964ecd9c0f226f7f6a733ca2cf2
---
 generate_sbom | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/generate_sbom b/generate_sbom
index 46c629d1..384502cf 100755
--- a/generate_sbom
+++ b/generate_sbom
@@ -672,18 +672,27 @@ sub gen_pkg_id {
 # CycloneDX support
 #
 
+my $cyclonedx_json_template_supplier = {
+  '_order' => [ qw{bom-ref name address url contact} ],
+  'contact' => { '_order' => [ qw{name email} ] },
+};
+
 my $cyclonedx_json_template_component = {
-  '_order' => [ qw{bom-ref type name version description cpe purl externalReferences properties } ],
+  '_order' => [ qw{bom-ref type supplier manufacturer authors name version description cpe purl externalReferences properties } ],
   'externalReferences' => { '_order' => [ qw{url comment type} ] },
+  'supplier' => $cyclonedx_json_template_supplier,
+  'manufacturer' => $cyclonedx_json_template_supplier,
 };
 
 my $cyclonedx_json_template = {
   '_order' => [ qw{bomFormat specVersion serialNumber version metadata components services externalReferences dependencies compositions vulnerabilities signature} ],
   'version' => 'number',
   'metadata' => {
-    '_order' => [ qw{timestamp tools component} ],
+    '_order' => [ qw{timestamp tools manufacturer authors component supplier} ],
     'tools' => { '_order' => [ qw{vendor name version } ] }.
     'component' => $cyclonedx_json_template_component,
+    'supplier' => $cyclonedx_json_template_supplier,
+    'manufacturer' => $cyclonedx_json_template_supplier,
   },
   'components' => $cyclonedx_json_template_component,
   'dependencies' => { '_order' => [ qw{ref dependsOn} ] }
@@ -818,11 +827,11 @@ sub spdx_encode_pkg {
     'name' => $p->{'NAME'},
     'versionInfo' => $evr,
   };
+  $spdx->{'supplier'} = 'NOASSERTION';
   if ($p->{'VENDOR'}) {
     $spdx->{'originator'} = "Organization: $p->{'VENDOR'}";
     $spdx->{'supplier'} = $spdx->{'originator'}; # same as originator OBS-247
   }
-  $spdx->{'supplier'} = 'NOASSERTION';
   $spdx->{'downloadLocation'} = 'NOASSERTION';
 
   if ($pkgtype eq 'deb') {