sbom or SoftwareBillOfMaterials is a human and machine readable inventory file that list all direct and indirect used Libraries (aka gradle-dependencies) of a software.
One of the SBOM benefits is to make software more transparent and supply chain attacks easier to detect.
For gradle there is the org.cyclonedx.bom plugin that creates a standard SBOM file (in json and/or xml)
My question: should we add the creation of the sbom file to the fdroid build artefacts and publish it?
What are your thought?
I came to this topic when reading about infections by the npm-javascript worm shai-hulud. Although this is currently about javascript there might be future gradle-dependency-supply chain attacks.