A US government executive order mentioned "Software Bill of Materials" and now it's a trendy new thing. Now when will they announce an executive order getting rid of password complexity requirements in line with NIST recommendations...
A Software Bill of Materials is, as it's name implies, a list of things (software) that went into creating the final artifact (more software). Typically this will mean recording dependencies and tools used in the final product, with the SBOM used to later identify which things contain vulnerable components that may need to be updated.
Software Package Data Exchange (SPDX) and its associated spec may be best known for their short license identifiers but they do have the scope to record all the other necessary metadata. It sets common names for different fields, but isn't strict on serialization, so even if something is in spdx format, you may have to content with json, xml, ...
CycloneDX seems to be the other popular format here.
pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessieswh:1:cnt:4d99d2d18326621ccdd70f5ea66c2e2ac236ad8b