An Intro to SBOMs

You are starting more companies that are US Gov contractors invest in SBOM generation and software provenance solutions due to <a href="https:&#x2F;&#x2F;www.nist.gov&#x2F;itl&#x2F;executive-order-14028-improving-nations-cybersecurity" rel="nofollow">https:&#x2F;&#x2F;www.nist.gov&#x2F;itl&#x2F;executive-order-14028-improving-nat...</a>

Are SBOMs a &quot;thing&quot; yet? Is anybody using SBOMs in their day to day workflows?<p>The current tooling for <i>generating</i> them seems to have matured, but tools for storing and managing an SBOM inventory seem non-existent with exception for OWASP Dependency-Track.

I <i>despise</i> the SPDX format, it feels like it was designed by the same people who created the current disaster that is NVD.