...
INFO.yaml files provides information for anyone that is interested in the repository. In the INFO.yaml contains specific information to the main PTL, committers with contact details, meeting information and real time communication and list of repositories under the same control.
Committer Management Automation via INFO.yaml - Developer Wiki - Confluence (onap.org)
Jessica also suggested that we should reach out to Kenny Paulto discuss further and solicit his thoughts on what we are trying to accomplish.
...
According to this sonatype Blog "Nexus Vulnerability Scanner" already creates a BOM
If you’re not already creating SBOMs, and want to see what’s inside your application, start by using our free service, the Nexus Vulnerability Scanner, to generate one for your application.
Creating an SBOM and knowing what’s in your applications is the first step to better understanding what open source and third party components have been flowing into and through your software supply chains. --Why You Need a Software Bill of Materials More Than Ever (sonatype.com)
(From Muddasar Ahmed )
I think we can get a BOM report in Cyclone SDX format from Nexus, depending on the feature bought by ONAP. Still need to figure out “How to”.
Also there are other options from open source.
https://spdx.dev
https://spdx.github.io/spdx-spec/1-rationale/
https://spdx.org/licenses/
https://cyclonedx.org/tool-center/
https://github.com/CycloneDX/cyclonedx-maven-plugin
Supports Cyclone DX format
https://www.globenewswire.com/en/news-release/2021/05/13/2229342/22212/en/Sonatype-Embraces-CycloneDX-Standard-for-Integrating-Software-Bills-of-Materials-SBOMs.html
Sonatype NVS (Nexus Vulnerability Scanner)
https://www.sonatype.com/products/vulnerability-scanner-upload
https://github.com/flexera/sca-codeinsight-reports-project-vulnerabilities
How does the end user use the Software BOM for trust and validation?
...