Adoption of CISA SBOM Generation Reference Implementations

[idunbarh]

Several of the folks involved in OpenSSFf are also involved in the CISA SBOM Community and worked on CISA SBOM Generation Reference Implementations. These are example pipelines in github and gitlab that follow an SBOM Producer Lifecycle which should produce a more complete SBOM.

CISA SBOM Community Tiger Teams are expected to have a limited lifespan and there is some discussion if this work should continue some place else.

This issue is to document a discussion around what if anything should be brought over to OpenSSF.

[joshbressers]

I would love to see this @idunbarh

It's something we've always wanted to do, but never got it off the ground

[joshbressers]

@idunbarh Any update on this?