Kea Docker should have an associated SBOM file
Some of our customers are going to require an SBOM and at some point, when we are subject to the EU Cyber Resilience Act, we will have to provide one legally, in order to distribute our sw in the EU. So, we should plan to create one and file it alongside the image (I believe Cloudsmith has some explicit feature support for this now).
The reason for the SBOM is to have a machine-readable bit of meta data that would enable some application to scan every program running in the enterprise looking for any programs that have outstanding known vulnerabilities in them (obviously this assumes they also have a database of vulnerabilities associated with software versions). The SBOM specs I have seen so far are not terribly useful because they lack software version information - what people really want I think is what is now being called a VEX - vulnerability exchange document.
So, this requirement will have to be further elaborated once we do some research and decide what actual type of document we are going to provide, and ideally this would be the same for BIND (we already have a BIND Docker).