• Metacpan can show you the dependency tree for every module.
• Parsing for XS modules should reveal associated C libraries too.
• The METAs and READMEs of a distribution should list third party dependencies.
• The cpantesters matrix should not only prove all of this, but also reveal OS version problems

I didn't dig deep into the WP article and didn't listen to Salve's talk (again²), but this should produce a good reliably founded document for your SBOM.

I'd be interested to know on which grounds this would not meet your army's requirements.¹

After all these documents are mostly written by bureaucrats and BA bachelors who measure software quality by the size and design of accompanying PDFs

Update

¹) actually the article says

• The directive gives the Army 90 days to develop implementation guidance for SBOMs, including sample language for requiring them in contracts

... so it's still vaporware 🤷🏻‍♂️

I wouldn't be surprised if someone charged with "implementing guidance" started googling now and stumbled over this post 🤔

²) I was in the audience, but don't remember much.