Vendoring downloads Python packages for local bundling. For users of vendoring to easily take advantage of PEP 770 and ship SBOMs detailing bundled dependencies I propose adding a simple flag which writes dependency information into an SBOM document:

$ python -m vendoring ... --sbom=src/pip/_vendor/bom.cdx.json

Then projects can specify that same file for PEP 770 to automatically include the SBOM file describing bundled dependencies:

[project]
name = "pip"

[dist-info.files]
sboms = [
  "src/pip/_vendor/bom.cdx.json"
]

For simplicity I recommend using the CycloneDX 2.x SBOM format and only recording basic information (name, version, download location, etc). Additional information can be added later, if necessary.

I'm willing to create a patch for this feature.