Currently, the result of indexing is an index report, this is a clair-specific format that describes the packages/repos/distributions/environments within the examined filesystem(s). We would like to be able to offer the ability to return this index report in a well-known SBOM format, specifically SPDX.

SPDX is the blessed format for SBOM generation for Red Hat (https://spaces.redhat.com/display/~pveillar/Mastery%3A+Security+Engineer+-+SBOM).

Care has to be taken to ensure the SBOM output produced by the indexer is able to be ingested by Clair's matching machinery.

Wiki notes: https://spaces.redhat.com/display/CLAIR/SBOM+notes