Is your feature request related to a problem? Please describe.

Past problems, including the
log4j vulnerability Log4Shell, have made it abundantly clear to many people that it's important
to be able to quickly figure out what is included in some software.
It's be good to be able report on whether or not a project provides a software bill of material (SBOM),
because that tells potential users that the developers are trying to help by providing this info.
We might even look at the White House Executive Order on Cybersecurity to see
if there are other things projects could provide to help users respond to a problem.

Describe the solution you'd like

Detect if SBOMs are present for all the dependencies in use.
I'm sure there are many options, let's talk about those in the comments.
I just want to record the idea so we can discuss it.