[l8again]

The idea of SBOM, or BOM is not a new one. Maven already has one for years now called BOM files [1]. So am I right in assuming that the author's suggestion is to make this BOM file public like the ingredients in food product as some people have suggested? If so, I can see a quick static analysis tool that can spit out the vulnerabilities just by parsing the BOM. So, really there's nothing to do much _technically_ here other than releasing out in the open the BOM. And then displaying ugly warnings about any software's BOM to either shame them or actually hurt their bottom line by lost revenue due to those vulnerabilities.

[1]https://maven.apache.org/guides/introduction/introduction-to...

[l8again]

Also, I wonder how can we realistically implement this for SaaS?

[dathinab]

Implement yes, but will it make a relevant difference? IMHO Unlikely.

A BOM no one (of relevance) ever reads is as good as no BOM.

The main positive effects a BOM can have (outside of SaaS) is to more strongly discourage to use (continue to use) of known to be problematic libraries or services.