Goal: Understand how transparent a given software package is with respect to dependencies, licensing (?), security processes, etc.
| Metric | Question |
|---|---|
| Software Bill of Materials | Does the software package have a standard expression of dependencies, licensing, and security-related issues? |