Encode the current $dist as a package in the SPDX report

generate_sbom

@@ -857,8 +857,13 @@ sub spdx_encode_pkg {
   }
   $spdx->{'copyrightText'} = $p->{'COPYRIGHTTEXT'} ? $p->{'COPYRIGHTTEXT'} : 'NOASSERTION';
   $spdx->{'homepage'} = $p->{'URL'} if $p->{'URL'};
-  my $purlurl = gen_purl($p, $distro, $pkgtype);
-  push @{$spdx->{'externalRefs'}}, { 'referenceCategory' => 'PACKAGE-MANAGER', 'referenceType' => 'purl', 'referenceLocator', $purlurl } if $purlurl;
+
+  # Let the caller control the presence of external refs
+  if($p->{'external_refs'} // 1) {
+    my $purlurl = gen_purl($p, $distro, $pkgtype);
+    push @{$spdx->{'externalRefs'}}, { 'referenceCategory' => 'PACKAGE-MANAGER', 'referenceType' => 'purl', 'referenceLocator', $purlurl } if $purlurl;
+  }
+
   if (!$p->{'spdx_id'}) {
     my $spdxtype = "Package-$pkgtype";
     $spdxtype = "Package-go-module" if $pkgtype eq 'golang';
@@ -935,6 +940,17 @@ sub spdx_encode_header {
   return $spdx;
 }
 
+sub spdx_encode_dist {
+  my ($dist) = @_;
+
+  return spdx_encode_pkg({
+    NAME => $dist->{id},
+    VERSION => $dist->{version_id},
+    spdx_id => sprintf('SPDXRef-OperatingSystem-%s', gen_pkg_id($dist)),
+    external_refs => 0
+  }, undef, undef, {});
+
+}
 
 ##################################################################################################
 #
@@ -1170,6 +1186,9 @@ if ($format eq 'spdx') {
       push @{$doc->{'files'}}, spdx_encode_file($f);
     }
   }
+
+  push @{$doc->{'packages'}}, spdx_encode_dist($dist);
+
   for (sort keys %unknown_spdx_licenses) {
     push @{$doc->{'hasExtractedLicensingInfos'}}, spdx_encode_extracted_license($unknown_spdx_licenses{$_});
   }