Suggested change to the lifecycle - validation

[goneall]

I would suggest we add a Validation step in the lifecycle before signing.

Validation could mean a few different things. Minimal validation would be the syntactic validation of the SBOM serialized "document" (e.g. validate against a JSON schema).

Next level of difficulty would be semantic validation (e.g. validate against the SHACL/OWL spec).

Another level would be to validate the against the target (e.g. running a separate scanner and comparing results). Personally, I don't think we should include this last level in the recommendation, but it is possible.

[vpetersson]

I'm definitely for doing validation. We've done some limited validation using sbomqs, however I'm only open to do this if we can find a format agnostic tool that can do it automatically.