Suppliers
Reference documentation for supplier data in SBOM Observer, including SBOM-sourced fields and user annotations.
Suppliers represent organizations or individuals that are suppliers, manufacturers, vendors of software components. Supplier information comes from SBOMs and can be enriched with annotations.
Supplier fields
Index fields (from SBOMs)
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the supplier |
name | string | Supplier name from the SBOM |
type | ORGANIZATION | PERSON | Type of supplier |
address | address | Postal address (see below) |
url | string[] | Array of URLs associated with the supplier |
contact | contact[] | Contact information (see below) |
Annotation fields (user editable)
| Field | Type | Description |
|---|---|---|
displayName | string | Custom name to display instead of the SBOM name |
contact | contact | Primary contact information |
address | address | Organizational postal address |
lei | string | Legal Entity Identifier |
vat | string | VAT number |
eori | string | Economic Operators Registration and Identification |
euid | string | European Unique Identifier |
brn | string | Business Registration Number |
internalId | string | Your internal supplier ID or code |
cpeVendor | string | CPE vendor name for matching vulnerabilities |
duns | string | Dun & Bradstreet D-U-N-S Number |
uei | string | Unique Entity Identifier (SAM.gov) |
cage | string | Commercial and Government Entity Code |
gln | string | Global Location Number |
iso6523 | string | ISO 6523 International Code Designator |
notes | string | Free-form notes about the supplier |
tags | string[] | Categorization tags |
properties | object | key-value properties (and custom fields) |
Contact information
| Field | Type | Description |
|---|---|---|
name | string | Contact person name |
email | string | Email address |
phone | string | Phone number |
Postal address
| Field | Type | Description |
|---|---|---|
country | string | Country name or code |
region | string | State, province, or region |
locality | string | City or locality |
postalCode | string | Postal or ZIP code |
streetAddress | string | Street address |
postOfficeBoxNumber | string | PO Box number |
Supplier Annotations
Suppliers (in the index) can be annotated (enriched with custom data) either manually from UI or via automations.
When you edit a supplier in SBOM Observer:
Display names and other annotations are particularly useful for standardizing how suppliers appear across your organization, even when different SBOMs use slightly different naming conventions.
Using supplier data in policies
Supplier information is available in policy rules via the component.supplier and component.manufacturer fields. You can write policies that:
- Flag components from unknown or unverified suppliers
- Enforce licensing requirements based on supplier type
- Ensure supplier metadata completeness
Example policy check:
// Require supplier information for all components
if (!input.component.supplier) {
return {message: "Component must have supplier information", severity: 7 };
}
// Check for specific supplier annotations
if (!input.component.supplier.annotation?.internalId) {
return {message: "Supplier has not been assigned an internal ID", severity: 3 };
}