Found out about this in the Microsoft VS Code thread but turns out it can process Docker base images too (after exporting them to tar files). Here is a component list for the nginx:latest base image: <a href="http://www.bomtotal.com/#9ab3777ec051c1f8db85d0513b032e91" rel="nofollow">http://www.bomtotal.com/#9ab3777ec051c1f8db85d0513b032e91</a> Pretty neat stuff!
The whole software bill of materials, BOM, is a nice idea. If you buy a carton of milk, the contents are printed on the back. Why shouldn't this apply to software as well? Of course a lot of the software does not come in a shrink-wrapped package, so you need something like BOMtotal to keep you informed.
It will be interesting to see how the industry picks this up. The amount of vulnerable libraries (and many of them) in software, even in security software, is rather mind boggling.