SBOM Quality control

[lfrancke]

As a user and creator of the Stackable SBOMs I'd like to know what their quality is.

- [ ] Evaluate https://github.com/eBay/sbom-scorecard
- [ ] Evaluate https://github.com/interlynk-io/sbomqs
- [ ] Research if there are other tools out there
- [ ] Decide on next steps (e.g. integrated in CI, manual etc.) and update this epic

[riteshnoronha]

@lfrancke great to see you are evaluating sbomqs for sbom quality control. We have used sbomqs to help sbom generation tools improve their output https://github.com/interlynk-io/sbomqs/discussions/39. We are actively developing this tool, we would love any feedback you have during or after your evaluation of the tool.

FYI recently sbomqs was used to for sbom quality benchmarks at codenotary https://codenotary.com/blog/monthly-quality-report-for-sbom-tools

Leanix also recommends us for SBOM quality. https://docs-vsm.leanix.net/docs/step-1-generating-cyclonedx-software-bill-of-materials#a-note-on-sbom-quality

We are actively working with the cpython sbom creator to help improve his tool. https://github.com/sethmlarson/cpython-sbom/issues.

Github has credited sbomqs with improving its output https://github.com/advanced-security/gh-sbom/releases/tag/v0.0.3

Other OSS SBOM quality tools we know of https://github.com/spdx/ntia-conformance-checker [SPDX]