The State of Texas is requesting information on enterprise solutions capable of generating Software Bill of Materials (SBOM), performing container analysis, and conducting vulnerability scanning to support DevSecOps and Platform One operations. The ideal solution should facilitate the creation of SBOMs that adhere to recognized industry standards such as SPDX and CycloneDX, and generate SBOMs for a variety of programming languages and ecosystems, including npm, Maven, PyPI, Go modules, NuGet, RubyGems, and Cargo.

Key requirements include providing both API and CLI options to generate SBOMs during CI/CD build processes, representing direct and transitive dependencies accurately, and including relevant metadata like repository URLs and commit hashes when available. Packages in SBOMs should use the PURL format, and the system must support container image scanning.

The solution must integrate with vulnerability databases such as the National Vulnerability Database (NVD), RHSA, GHSA, and other vendor-specific feeds. It should automate the comparison of SBOM components against known vulnerabilities, map discovered vulnerabilities to standard severity metrics like CVSS scores, and offer mechanisms for users to annotate or override false positives, as well as provide context for false negatives. Additionally, the system should track changes over time to detect newly relevant vulnerabilities, support custom vulnerability data from security researchers, and accurately filter out inapplicable vulnerabilities, particularly for containers. The product must accept container images as input and output comprehensive vulnerability analysis results.