What if cdxgen container image bundles depscan

[prabhu]

https://github.com/owasp-dep-scan/dep-scan

depscan can accept the --bom argument to enhance and create a VDR/VEX file. What if cdxgen could invoke depscan and submit the resulting VDR to the dependency track server to simplify things?

What if cdxgen could also invoke evinse, generate an obom, and invoke depscan so that the vulnerabilities included are targeted for the given application and runtime context?