The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track.