Capturing details about the BOM generation environment, workflows, tasks and steps

[prabhu]

I am working on a couple of projects related to Binary SBOM and HBOM generation. I noticed that depending on the generation environment, such as the operating system, version of firmware, build tools, libraries, the generated BOM differs significantly.

For example, Binary SBOM generated for the same software on Linux ARM64 differs from Darwin ARM64.
HBOM for hardware peripherals is heavily dependent on the OS, firmware, and the version of interfaces such as ACPI. The quality of data is low when the hardware isn't well supported on a particular OS or is missing the right bios version.

Similar to formulation, it would be useful for the BOM tool and service to capture the details about the generation environment to help with reproducibility and assessment of precision.