### Proposal Add package hash information in generated CycloneDX SBOMs. ### Motivation Cryptographic hashes provide a way to validate data integrity. Most package managers support a form of package integrity validation using a hash. The [CycloneDX specification] and [PURL specification] each support the inclusion of package hashes, so that any modifications to a component can be detected. For example, it's possible for an SBOM to have `pkg:npm/express@1.0.0` listed. This could refer to the package hosted on `npmjs.com`, but it could also refer to a separately hosted _patched_ package. The addition of a hash allows a person or service reviewing the SBOM to verify this by checking the checksum against the "known" hash of the package+version. <!--Consider adding related issues and epics to this issue. You can also reference the Feature Proposal Template (https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal%20-%20detailed.md) for additional details to consider adding to this issue. Additionally, as a data oriented organization, when your feature exits planning breakdown, consider adding the `What does success look like, and how can we measure that?` section.--> <!--Label reminders Use the following resources to find the appropriate labels: - Use only one tier label choosing the lowest tier this is intended for - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/-->