Attached is a diagram from the early days of the NTIA Software Transparency Working Group. The diagram was created to show relations of what was desired eventually in an SBOM and we used to then trim back to the 'crawl' which is where we were at that that time. So things like API calls, forking GitHub repos, and build tools were cans that were kicked down the road at that time, and for the most part still haven't been addressed. I'm including as a basis for discussion so we can decide if we want to use those terms ("includes", "based on", "made using", "subset of", 'calls at run time', 'loads at runtime', etc), modify them, or use different ones.
------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------