SBOMs exist. You can get them generated for most software via package managers in standard forms like cyclonedx.

It's just not that effective when the SBOM becomes unmanageable. For example, our JS project at $work has 2.3k dependencies just from npm. I can give you that SBOM (and even include the system deps with nix) but that won't really help you.

They are only really effective when the size is reasonable.