"Pre-build" life cycle phase additions about Open Source supply-chain & ecosystem

[sjn]

I'm wondering it would be very beneficial to expand the "pre-build" phase in 0x20-Lifecycle_Phases.md.

I imagine this phase implies quite a few important steps involved in the final assembly of an SBOM, including authoritative information about components acquired from a supplier up-stream, that may be

• …updated unilaterally by the component author.
  • Author name
  • Author email
  • Component unique name
  • Component version/release
  • Project name
  • Project repository
  • Project contact information
  • Project license
  • Project issue/bug tracker URL
  • List of know vulnerabilities this release has addressed
  • etc..
• …updated unilaterally by the software distribution service (e.g. a native package source, like Debian's APT repositories, or FreeBSD's ports system)
  • Package download URL
  • Packager's name
  • Packager's email
  • Packager's security advisory URL
  • List of patches/changes applied by the packager
  • etc…

[stevespringett]

Thanks @sjn. However, I don't know what the ask is. Can you expand on what you'd like to see and what would be beneficial to readers?