SBOMs become a security staple for the software supply chain