Review and align with OpenJSF's SBOM/C-SCRM recommendations

[achrinza]

OpenJSF's Security Collab Space has recently published their recommendations.

Based on a quick skim, these are the related issues:

• Align with SLSA3+ for verifiable provenance #32
• Provide visibility into dependency tree permutations #19