A solution could be a post build flag that produces the Xojo SBOM for the current release, and ideally to go further integrate with your local SBOM, if exist. More or less as the info.plist file.
The SBOM must be linked to the Xojo Release you use to build since every release is linked to different library version (think to SQLite as an example)
If I well understood the problem, I think the list should be included in the application as allergenic products are included in food ingredients.
I think this is yet another instance of politicians trying to regulate something they fundamentally do not understand, and will likely fall flat like many other over-reaching EU requirements…at least in the US. But, you know, there are those of us that will attempt to comply if our customers need something from us.
To be clear: I’m not saying that it’s necessarily a bad thing, not its intentions anyway, just that it adds a layer of complexity to development that’s easy to forget and/or simply ignore, meaning such a device will likely become outdated through the lifecycle of a software product.
I simply have it in the manual and the manual comes with each version.
The moment you have disclosed the SBOM “on request to a competent authority” you have lost control of it and should assume it is public.