SPDX originator is not always populated

[wagoodman]

When determining originator we only consider select ecosystems:

syft/syft/format/internal/spdxutil/helpers/origintor.go

Lines 17 to 40 in 25ae7bf

	switch metadata := p.Metadata.(type) {
	case pkg.ApkDBEntry:
	author = metadata.Maintainer
	case pkg.NpmPackage:
	author = metadata.Author
	case pkg.PythonPackage:
	author = metadata.Author
	if author == "" {
	author = metadata.AuthorEmail
	} else if metadata.AuthorEmail != "" {
	author = fmt.Sprintf("%s (%s)", author, metadata.AuthorEmail)
	}
	case pkg.RubyGemspec:
	if len(metadata.Authors) > 0 {
	author = metadata.Authors[0]
	}
	case pkg.RpmDBEntry:
	typ = "Organization"
	author = metadata.Vendor
	case pkg.DpkgDBEntry:
	author = metadata.Maintainer
	}
	if typ == "" && author != "" {
	typ = "Person"

Ideally we should expand this to fill in an answer in as many ecosystems as possible. There have been suggestions to at least add Java under consideration, looking specifically at the Specification-Vendor followed by Implementation-Vendor for non-empty values to use as an originator.

We should probably add a completion-test for this, which exhaustively covers all metadata types (use this). This way we can ensure that as new metadata types are added we can fail if there isn't an explicit test to cover originator functionality.