Checkout ORT vs syft for generating SBOM

[linuxluigi]

Is your feature request related to a problem? Please describe.

No known problem.

Describe the solution you'd like

Currently this project auto generated SBOM with syft. After attemting the SBOM Devroom on the fosdem I'm currious if ORT will be generating a better SBOM than syft.
Ort claims, that it will include not just software dependencies from the package manager, it will also include warpped libs like from C++. Also, is has an Open Source Policy Checker included.
If this works as promised, we could run ORT on each PR for OpenSource licencing check and generate the SBOM with it.

Describe alternatives you've considered

Keep using syft

Search

• I did search for other open and closed issues before opening this.

Code of Conduct

• I agree to follow this project's Code of Conduct

Additional context

No response

[brumhard]

I think this is a topic where a lot of stuff is happening currently. E.g. github released sbom export a few days ago: https://github.blog/2023-03-28-introducing-self-service-sboms/. Tbh I don't know much about it so I don't have much opinion on it.