For fun, let's assume you are a supplier, whatever that means. Let's say you are Autodesk, and you've been told you need to create a SBOM for AutoCAD in CycloneDX. You have to complete "manufacturer", "supplier", "publisher" and "author" fields, which the standard makes no attempt to disambiguate for you. Which corporate entities do you list against each field? ADSK IRELAND LIMITED (IE), ADSK NORWAY AS (NO), ADSK NORWAY HOLDINGS AS (NO), AUTODESK AB (NO), AUTODESK AMERICAS LLC (US), AUTODESK ASIA PTE LTD (SG), AUTODESK ASIA PTE LTD (MY), etc (there are pages of options) Do you need to list the specialty consulting firm that was engaged by a small subsidiary office in whatever country for 20 weeks to implement a file import function for a third party file format? If yes, which part of their Double Irish with a Dutch Sandwich corporate structure do you list?<p>Also for fun, let's assume you're an American company that buys copyright ownership and complete rights of proprietary software originally developed by an Irish company. You immediately re-release the software with a new loading screen logo, "About" dialog, etc changed to your brand name, and a new SBOM is released. Which part of your Double Irish with a Dutch Sandwich corporate structure do you list as "manufacturer", "supplier", "publisher" and "author" fields? Which part of the Irish company (or whatever complex corporate structure may exist) do you list in any of these fields, if any get listed at all? If you did list the Irish company, after 5 years when most code has been rewritten but only a few small bits and pieces remain, does this change whether you mention the Irish company that worked on the software 5 years ago?