Open
Description
Consider a project with the below structure.
Project
|---deps
| |---- C dependency 1
| |-----JS dependency 2
| |-----Go dependency 3
| |-----C dependency 4
cdxgen can currently generate a single comprehensive SBOM with some properties. However, what would be nice is to generate multiple SBOMs and one Parent SBOM.
Project
bom.json (Parent)
|---deps
| |---- C dependency 1
| |--------- bom.json
| |-----JS dependency 2
| |----------bom.json
| |-----Go dependency 3
| |----------bom.json
| |-----C dependency 4
| |----------bom.json
The parent SBOM could have external references linking to the individual SBOM using BOM-Link. One immediate benefit is that the parent SBOM would have a small number of components, so it would be easier to share.