Matt Moore

This applies similarly to: https://github.com/google/ko/issues/357

Here was the K8s SBOM he pointed me at: https://sbom.k8s.io/v1.23.5/release

He also mentioned: > and that reference is used in other places to describe that the artifacts were produced from a package in it: ``` Relationship: SPDXRef-Package-k8s.gcr.io-kube-controller-manager-amd64-v1.23.5 GENERATED_FROM DocumentRef-kubernetes-v1.23.5:SPDXRef-Package-kubernetes ```

Once https://github.com/chainguard-dev/apko/pull/149 lands (+releases) it would be nice to start on this, so that images based on `ghcr.io/distroless/static` can take advantage. @Puerco any thoughts on the form of this syntax...

I think @puerco wants to chase this a bit.

In #743 I pass the image/index into the functions generating SBOMs, and we can access the OCI annotations we populate on those (if present, **ahem** docker **ahem** 👀 ), which...

@puerco is this a correct list of SPDX relationship types? https://cloud.google.com/container-analysis/docs/reference/rest/v1beta1/RelationshipType `DESCENDANT_OF` seems perfect for base images.

Found this as well: https://spdx.github.io/spdx-spec/v2-draft/relationships-between-SPDX-elements/

I also noticed `DEPENDENCY_MANIFEST_OF` which seems like a way to say "this is an SBOM for that" 🤔

https://github.com/google/ko/pull/744 should do this for SPDX