One option would be to support the OWASP CycloneDX standard. Technically, it's a Bill of Materials (BOM) format, however, it also supports Bill of Vulnerabilities, Advisory, and VEX format. We bill it as a "modern standard for the software supply chain". ...