We might consider validating sbom files during ingestion. We do that in trustification to be sure document id is present. I'm not sure yet how that is critical to trustify data model, but it would make sense to so that.
If we do it, we should be aware of CycloneDX/cyclonedx-rust-cargo#737 which needs a workaround for now.