It seems like identifying all transitive dependencies is the actual hard-ish technical problem that might be worth paying for? If I have an SBOM for software A that shows a dependency on software B, but software B lacks it's own SBOM, then I still can't answer the question of "does software A depend on some vulnerable piece of software?" SBOMs seem ineffective for these types of things unless *everyone* gets on board.
It seems like identifying all transitive dependencies is the actual hard-ish technical problem that might be worth paying for? If I have an SBOM for software A that shows a dependency on software B, but software B lacks it's own SBOM, then I still can't answer the question of "does software A depend on some vulnerable piece of software?" SBOMs seem ineffective for these types of things unless *everyone* gets on board.