SBOMs - SPDX, spdx-sbom-generator & lfx security

I’m just looking into SBOM creation for a project I work on at LF AI & Data.

I’ve seen some LF posts around sbomx, spdx sboms & tooling, such as GitHub - opensbom-generator/spdx-sbom-generator: Support CI generation of SBOMs via golang tooling.

Is there a thought that in future, support for this tool/SBOMs might feature as part of the lfx analysis/security environment ? I’m thinking in terms of reporting, analysis?

or indeed support for CycloneDX -which seems to have more (or perhaps, different) tooling options?


thank you @planetf1 for your question. @pranab.bajpai - could you speak to this feature request?