The OWASP CycloneDX-Authoritative Guide to SBOM mentions evidence should be provided. (starting from CycloneDX 1.5)
Dfetch determines 2 fields, so should provide evidence:
- For the
purl field this should be of type manifest-analysis and tools can be added and a confidence somewhere between 0.4-0.6.
- For the
license field the result infer_license.api.guess_file(license_file) could be used

The OWASP CycloneDX-Authoritative Guide to SBOM mentions evidence should be provided. (starting from CycloneDX 1.5)
Dfetch determines 2 fields, so should provide evidence:
purlfield this should be of typemanifest-analysisandtoolscan be added and a confidence somewhere between0.4-0.6.licensefield the resultinfer_license.api.guess_file(license_file)could be used