to be honnest I am not a big fan of this being adding to the ports tree, because usually the sbom analysis (my use case at least is on what would be reployed, so it needs to happen and the packaging level more than at the source level imho.

Sorry I don't quite get this. If I understand this done on packaging level and not on source level? It just uses packaging information from FreeBSD ports and not touch currently source at all. If you mean with packaging level making SBOM from running system from installed packages it's ofcourse totally diffrent case.

the ports tree is a framework to build packages, if we are to build sbom on a distribution of packages we don't want to work on the framework which builds repositories, but on the package repository side. Meaning in the ports tree we need to make sure we collect enough metadata so that packages themselves have enough metadata for a tool like this one to collect the informations from the packages directly and not from the sources.

if I have in mind something like Jfrog's xray to generate a sbom, I woud push my build packages into a artifactory repository and let xray extract the needed information from the packages, not from the build framework.

In D53318#1224441, @bapt wrote:

if I have in mind something like Jfrog's xray to generate a sbom, I woud push my build packages into a artifactory repository and let xray extract the needed information from the packages, not from the build framework.

Then there is Python distro2sbom (which supports FreeBSD pkg). It does not produce SPDX version 3.0 but version 2.3. It produces SBOM from pkg packages database.

But probably this one and others should be closed then..