Add support for CycloneDX SBOMs #38
Description
Saw an interesting comment from @jchestershopify (👋 ) over at rubygems/rfcs#43 (comment), I'll include it here because it sounds relevant to this project
What I'd propose as an alternative is (1) to add support for CycloneDX SBOMs, so that (2) folks can use
cyclonedx diffto generate diffs between two different versions of a gem.My concern here is that proposed approach sails perilously close to producing a new, gem-specific SBOM format in disguise, which would hamper adoption by generalised tooling (SCA tools, etc) that are developed outside of the Ruby ecosystem. By using CycloneDX and its diffing capability, I think your requirement to be able to find changes between gem versions would be served without needing a new format to be defined.
SBOM stands for "Software Bill of Materials" (Wikipedia has some more info), I'm not (yet) familiar with it but it sounds interesting to me. The diff tool linked above even more so.