I would suggest we add a Validation step in the lifecycle before signing.
Validation could mean a few different things. Minimal validation would be the syntactic validation of the SBOM serialized "document" (e.g. validate against a JSON schema).
Next level of difficulty would be semantic validation (e.g. validate against the SHACL/OWL spec).
Another level would be to validate the against the target (e.g. running a separate scanner and comparing results). Personally, I don't think we should include this last level in the recommendation, but it is possible.
I'm definitely for doing validation. We've done some limited validation using sbomqs, however I'm only open to do this if we can find a format agnostic tool that can do it automatically.
I would suggest we add a Validation step in the lifecycle before signing.
Validation could mean a few different things. Minimal validation would be the syntactic validation of the SBOM serialized "document" (e.g. validate against a JSON schema).
Next level of difficulty would be semantic validation (e.g. validate against the SHACL/OWL spec).
Another level would be to validate the against the target (e.g. running a separate scanner and comparing results). Personally, I don't think we should include this last level in the recommendation, but it is possible.