Just spotted a very nice reference to SPDX in Dirk Riehle's paper, and thought those on the list might find the paper interesting as well.
The first step is to have a standard format for a bill of materials that expresses what is included in a component. For this, the Linux Foundation has sponsored the creation of the Software Package Data Exchange (SPDX) standard  and tools for processing the standard .
SPDX is rapidly evolving. SPDX compliant documents provide information about what is contained within a software package, including the license information of a contained component, who created the component, its version, etc.