Tobie,
The rule of thumb we follow with regard to what goes into an SBOM that is delivered to consumers is to list any component that could potentially have a vulnerability reported via a vulnerability repository or privately.
For example, many vulnerabilities are not reported at the “source code level”, i.e. foo.h has a vulnerability. However the distributed component called FOO that contains foo.h should be listed in an SBOM.The “application” AllFOO, which contains the FOO component should also be listed as it may have reportable vulnerabilities.
In summary, based on my experiences:
IMO, A software producer should list all components contained in a “distributed package” (application, container, etc) within the SBOM that is used/installed by customers which could be listed in a vulnerability repository, i.e. NIST NVD, as containing a vulnerability.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788