refactor: better handling of authors, manufacturers, groups etc + workaround for tag removal below spec v1.5

wiebe-vandendriessche · wiebe-vandendriessche · commit cbeb185eb96c · 2026-01-20T16:35:45.000+01:00
diff --git a/internal/io/io.go b/internal/io/io.go
@@ -106,9 +106,58 @@ func WriteBOM(bom *cdx.BOM, outputPath string, format string, spec string) error
 	if !ok {
 		return fmt.Errorf("unsupported CycloneDX spec version: %q", spec)
 	}
+
+	// WORKAROUND: Manually strip tags for spec < 1.6
+	// Tags were introduced in spec 1.6, but cyclonedx-go doesn't remove them
+	// when encoding to earlier versions (unlike manufacturer, authors, etc.)
+	// See: https://github.com/CycloneDX/cyclonedx-go/issues/248
+	// TODO: Remove this workaround once issue #248 is fixed
+	if sv < cdx.SpecVersion1_6 {
+		stripTagsFromBOM(bom)
+	}
+
 	return encoder.EncodeVersion(bom, sv)
 }
 
+// stripTagsFromBOM removes tags from all components in the BOM.
+// WORKAROUND for cyclonedx-go issue #248: Tags are not automatically removed
+// when encoding to spec versions < 1.6, even though tags were introduced in 1.6.
+// This function manually strips tags to ensure spec compliance.
+// TODO: Remove this workaround once https://github.com/CycloneDX/cyclonedx-go/issues/248 is fixed
+func stripTagsFromBOM(bom *cdx.BOM) {
+	if bom == nil {
+		return
+	}
+
+	// Strip tags from metadata component
+	if bom.Metadata != nil && bom.Metadata.Component != nil {
+		stripTagsFromComponent(bom.Metadata.Component)
+	}
+
+	// Strip tags from all components
+	if bom.Components != nil {
+		for i := range *bom.Components {
+			stripTagsFromComponent(&(*bom.Components)[i])
+		}
+	}
+}
+
+// stripTagsFromComponent recursively removes tags from a component and its children.
+func stripTagsFromComponent(comp *cdx.Component) {
+	if comp == nil {
+		return
+	}
+
+	comp.Tags = nil
+
+	// Recursively process child components
+	if comp.Components != nil {
+		for i := range *comp.Components {
+			stripTagsFromComponent(&(*comp.Components)[i])
+		}
+	}
+}
+
 // ParseSpecVersion parses a spec version string to a CycloneDX SpecVersion.
 func ParseSpecVersion(s string) (cdx.SpecVersion, bool) {
 	s = strings.TrimSpace(s)
diff --git a/internal/metadata/core.go b/internal/metadata/core.go
@@ -59,16 +59,16 @@ const (
 	DatasetLicenses           DatasetKey = "BOM.components[DATA].licenses"
 	DatasetDescription        DatasetKey = "BOM.components[DATA].data.description"
 	DatasetManufacturer       DatasetKey = "BOM.components[DATA].manufacturer"
-	DatasetAuthor             DatasetKey = "BOM.components[DATA].author"
+	DatasetAuthors            DatasetKey = "BOM.components[DATA].authors"
 	DatasetGroup              DatasetKey = "BOM.components[DATA].group"
 	DatasetContents           DatasetKey = "BOM.components[DATA].data.contents.attachments"
 	DatasetSensitiveData      DatasetKey = "BOM.components[DATA].data.sensitiveData"
 	DatasetClassification     DatasetKey = "BOM.components[DATA].data.classification"
 	DatasetGovernance         DatasetKey = "BOM.components[DATA].data.governance"
 	DatasetHashes             DatasetKey = "BOM.components[DATA].hashes"
-	DatasetContact            DatasetKey = "BOM.components[DATA].properties.contact"
-	DatasetCreatedAt          DatasetKey = "BOM.components[DATA].properties.createdAt"
-	DatasetUsedStorage        DatasetKey = "BOM.components[DATA].properties.usedStorage"
+	DatasetContact            DatasetKey = "BOM.components[DATA].properties.huggingface:datasetContact"
+	DatasetCreatedAt          DatasetKey = "BOM.components[DATA].properties.huggingface:createdAt"
+	DatasetUsedStorage        DatasetKey = "BOM.components[DATA].properties.huggingface:usedStorage"
 	DatasetLastModified       DatasetKey = "BOM.components[DATA].tags.lastModified"
 )
 
diff --git a/internal/metadata/fields_component.go b/internal/metadata/fields_component.go
@@ -372,6 +372,25 @@ func componentFields() []FieldSpec {
 			Weight:   0.25,
 			Required: false,
 			Sources: []func(Source) (any, bool){
+				func(src Source) (any, bool) {
+					// Extract group from ModelID (part before /)
+					var modelID string
+					if src.HF != nil && strings.TrimSpace(src.HF.ModelID) != "" {
+						modelID = strings.TrimSpace(src.HF.ModelID)
+					} else if src.HF != nil && strings.TrimSpace(src.HF.ID) != "" {
+						modelID = strings.TrimSpace(src.HF.ID)
+					} else {
+						modelID = strings.TrimSpace(src.ModelID)
+					}
+					if modelID == "" {
+						return nil, false
+					}
+					parts := strings.SplitN(modelID, "/", 2)
+					if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {
+						return strings.TrimSpace(parts[0]), true
+					}
+					return nil, false
+				},
 				func(src Source) (any, bool) {
 					if src.HF != nil {
 						if s := strings.TrimSpace(src.HF.Author); s != "" {
diff --git a/internal/metadata/fields_dataset.go b/internal/metadata/fields_dataset.go
@@ -297,13 +297,17 @@ func DatasetRegistry() []DatasetFieldSpec {
 			Required: false,
 			Sources: []func(DatasetSource) (any, bool){
 				func(src DatasetSource) (any, bool) {
-					if src.Readme == nil {
-						return nil, false
+					// First try API author (authors[0])
+					if src.HF != nil && strings.TrimSpace(src.HF.Author) != "" {
+						return strings.TrimSpace(src.HF.Author), true
 					}
-					if len(src.Readme.AnnotationCreators) == 0 {
-						return nil, false
+					// Fallback to first AnnotationCreator from README (authors[1])
+					if src.Readme != nil && len(src.Readme.AnnotationCreators) > 0 {
+						if trimmed := strings.TrimSpace(src.Readme.AnnotationCreators[0]); trimmed != "" {
+							return trimmed, true
+						}
 					}
-					return strings.TrimSpace(src.Readme.AnnotationCreators[0]), true
+					return nil, false
 				},
 			},
 			Parse: func(value string) (any, error) {
@@ -332,19 +336,98 @@ func DatasetRegistry() []DatasetFieldSpec {
 				return comp != nil && comp.Manufacturer != nil && strings.TrimSpace(comp.Manufacturer.Name) != ""
 			},
 		},
+		{
+			Key:      DatasetAuthors,
+			Weight:   0.6,
+			Required: false,
+			Sources: []func(DatasetSource) (any, bool){
+				func(src DatasetSource) (any, bool) {
+					var allAuthors []string
+
+					// First, add API author if available
+					if src.HF != nil && strings.TrimSpace(src.HF.Author) != "" {
+						allAuthors = append(allAuthors, strings.TrimSpace(src.HF.Author))
+					}
+
+					// Then, add annotation creators from README
+					if src.Readme != nil && len(src.Readme.AnnotationCreators) > 0 {
+						for _, creator := range src.Readme.AnnotationCreators {
+							if trimmed := strings.TrimSpace(creator); trimmed != "" {
+								allAuthors = append(allAuthors, trimmed)
+							}
+						}
+					}
+
+					if len(allAuthors) == 0 {
+						return nil, false
+					}
+					return allAuthors, true
+				},
+			},
+			Parse: func(value string) (any, error) {
+				parts := strings.Split(value, ",")
+				authors := normalizeStrings(parts)
+				return authors, nil
+			},
+			Apply: func(tgt DatasetTarget, value any) error {
+				input, ok := value.(applyInput)
+				if !ok {
+					return fmt.Errorf("invalid input for %s", DatasetAuthors)
+				}
+				if tgt.Component == nil {
+					return fmt.Errorf("component is nil")
+				}
+				var authors []cdx.OrganizationalContact
+				switch v := input.Value.(type) {
+				case []string:
+					for _, authorName := range v {
+						if trimmed := strings.TrimSpace(authorName); trimmed != "" {
+							authors = append(authors, cdx.OrganizationalContact{
+								Name: trimmed,
+							})
+						}
+					}
+				case string:
+					if trimmed := strings.TrimSpace(v); trimmed != "" {
+						authors = append(authors, cdx.OrganizationalContact{
+							Name: trimmed,
+						})
+					}
+				}
+				if len(authors) == 0 {
+					return fmt.Errorf("authors value is empty")
+				}
+				if !input.Force && tgt.Component.Authors != nil && len(*tgt.Component.Authors) > 0 {
+					return nil
+				}
+				tgt.Component.Authors = &authors
+				return nil
+			},
+			Present: func(comp *cdx.Component) bool {
+				return comp != nil && comp.Authors != nil && len(*comp.Authors) > 0
+			},
+		},
 		{
 			Key:      DatasetGroup,
 			Weight:   0.4,
 			Required: false,
 			Sources: []func(DatasetSource) (any, bool){
 				func(src DatasetSource) (any, bool) {
-					if src.Readme == nil {
-						return nil, false
+					// Extract group from DatasetID (part before /)
+					var datasetID string
+					if src.HF != nil && strings.TrimSpace(src.HF.ID) != "" {
+						datasetID = strings.TrimSpace(src.HF.ID)
+					} else {
+						datasetID = strings.TrimSpace(src.DatasetID)
 					}
-					if len(src.Readme.AnnotationCreators) < 2 {
+					if datasetID == "" {
 						return nil, false
 					}
-					return strings.TrimSpace(src.Readme.AnnotationCreators[1]), true
+					parts := strings.SplitN(datasetID, "/", 2)
+					if len(parts) > 0 && strings.TrimSpace(parts[0]) != "" {
+						return strings.TrimSpace(parts[0]), true
+					}
+					return nil, false
 				},
 			},
 			Parse: func(value string) (any, error) {
@@ -669,11 +752,11 @@ func DatasetRegistry() []DatasetFieldSpec {
 					return fmt.Errorf("component is nil")
 				}
 				createdAt, _ := input.Value.(string)
-				setProperty(tgt.Component, "createdAt", strings.TrimSpace(createdAt))
+				setProperty(tgt.Component, "huggingface:createdAt", strings.TrimSpace(createdAt))
 				return nil
 			},
 			Present: func(comp *cdx.Component) bool {
-				return hasProperty(comp, "createdAt")
+				return hasProperty(comp, "huggingface:createdAt")
 			},
 		},
 		{
@@ -700,11 +783,11 @@ func DatasetRegistry() []DatasetFieldSpec {
 					return fmt.Errorf("component is nil")
 				}
 				usedStorage, _ := input.Value.(string)
-				setProperty(tgt.Component, "usedStorage", strings.TrimSpace(usedStorage))
+				setProperty(tgt.Component, "huggingface:usedStorage", strings.TrimSpace(usedStorage))
 				return nil
 			},
 			Present: func(comp *cdx.Component) bool {
-				return hasProperty(comp, "usedStorage")
+				return hasProperty(comp, "huggingface:usedStorage")
 			},
 		},
 		{
@@ -793,11 +876,11 @@ func DatasetRegistry() []DatasetFieldSpec {
 				if tgt.Component == nil {
 					return fmt.Errorf("component is nil")
 				}
-				setProperty(tgt.Component, "contact", contact)
+				setProperty(tgt.Component, "huggingface:datasetContact", contact)
 				return nil
 			},
 			Present: func(comp *cdx.Component) bool {
-				return hasProperty(comp, "contact")
+				return hasProperty(comp, "huggingface:datasetContact")
 			},
 		},
 	}
diff --git a/internal/metadata/fieldspecs_test.go b/internal/metadata/fieldspecs_test.go
@@ -34,8 +34,8 @@ func TestRegistryApplyAndPresent(t *testing.T) {
 			Evidence: "pattern",
 		},
 		HF: &fetcher.ModelAPIResponse{
-			ID:          "hf-id",
-			ModelID:     "hf-model",
+			ID:          "hf-org/hf-model",
+			ModelID:     "hf-org/hf-model",
 			Author:      "hf-author",
 			PipelineTag: "classification",
 			LibraryName: "transformers",
@@ -107,8 +107,9 @@ func TestRegistryApplyAndPresent(t *testing.T) {
 	if comp.Manufacturer == nil || comp.Manufacturer.Name != "hf-author" {
 		t.Fatalf("manufacturer mismatch")
 	}
-	if comp.Group != "hf-author" {
-		t.Fatalf("group mismatch")
+	// Group is now extracted from ModelID (first part before /)
+	if comp.Group != "hf-org" {
+		t.Fatalf("group mismatch: expected 'hf-org', got %q", comp.Group)
 	}
 	if comp.Properties == nil || !hasProperty(comp, "huggingface:lastModified") {
 		t.Fatalf("expected huggingface properties")
