As part of the build infrastructure Jessica called out Nexus 2 for Java Artifacts, Nexus 3 for Docker image delivery, NEXUS IQ for dependency scanning and Sonar cloud for code scanning.

According to this sonatype Blog "Nexus Vulnerability Scanner" already creates a BOM

If you’re not already creating SBOMs, and want to see what’s inside your application, start by using our free service, the Nexus Vulnerability Scanner, to generate one for your application.

Creating an SBOM and knowing what’s in your applications is the first step to better understanding what open source and third party components have been flowing into and through your software supply chains. --Why You Need a Software Bill of Materials More Than Ever (sonatype.com)

How does the end user use the Software BOM for trust and validation?

...

Version	Old Version 8	New Version 9
Changes made by	Robert Heinemann	Robert Heinemann
Saved on	Aug 30, 2021	Aug 30, 2021

Versions Compared

Key

How does the end user use the Software BOM for trust and validation?

Page Comparison

Versions Compared

Key

How does the end user use the Software BOM for trust and validation?