[feature][npm] Generate SBOM for npm

[laurentsimon]

This could be enabled thru a sbom-generate: true and sbom-format: xxx options. I think a scan of the package.json would work, although I'm not 100% sure if additional deps could be pulled in thru the script...

A larger question we need to answer before doing that is how we attest to the SBOM: thru a dedicated provenance, thru a new predicateType, thru byproduct of the existing provenance.

[ljharb]

See npm/rfcs#714

Presumably this is primarily useful for an end-user application, since it can be autogenerated at any time from a lockfile and node_modules directory?

[laurentsimon]

Correct, only for end applications. Thanks for the link, we'll take a look.