Restruture features/bill-of-materials overview

AidanDelaney · AidanDelaney · commit 6dd2f266d3de · 2022-02-23T08:28:32.000Z
First present the end-user focused `pack sbom download` command
and then present developer information on how to add an SBoM to
an image.

Signed-off-by: Aidan Delaney &lt;aidan.delaney@gmail.com&gt;
diff --git a/content/docs/features/bill-of-materials.md b/content/docs/features/bill-of-materials.md
@@ -1,54 +1,44 @@
 +++
-title="Structured Bill of Materials"
-summary="A Software `Structured Bill-of-Materials` (`SBoM`) gives you a layer-by-layer view of what's inside your container in a variety of formats."
+title="Software Bill of Materials"
+summary="A Software `Software Bill-of-Materials` (`SBoM`) gives you a layer-by-layer view of what's inside your container in a variety of formats."
 +++
 
 ## Summary
 
-A **Structured-Bill-of-Materials** (`SBoM`) provides information necessary to know what's inside your container and how it was constructed.
-Cloud Native Buildpacks provides Structured-Bill-of-Materials in either CycloneDX, SPDX, or Syft format.
+A **Software-Bill-of-Materials** (`SBoM`) lists all the software components included in an image.  Cloud Native Buildpacks provides all the transparency you need to have confidence in your image supply chain.  Software-Bill-of-Materials in [CycloneDX](https://cyclonedx.org/), [Syft](https://github.com/anchore/syft) and [Spdx](https://spdx.dev/) formats are supported.
 
 1. Buildpacks can populate `SBoM` information about the dependencies they have provided.
-2. A list of what buildpacks were used to build the application.
-
-## Adding Bill of Materials
-
-Use the following tutorial to add a `Bill-of-Materials` using buildpacks. <br/>
-[Adding bill of materials][adding-bill-of-materials]
 
 ## Viewing Bill of Materials
 
-You can use the `download-sbom` command to inspect your app for its `Structured-Bill-of-Materials`. The following command will download the application layer containing the `SBoM` files to `./layers/sbom/...` on your local filesystem.
+You can use the `sbom download` command to inspect your app for its Software-Bill-of-Materials. The following command will download the application layer containing the `SBoM` files to `./layers/sbom/...` on your local filesystem.
 
 ```bash
-pack download-sbom your-image-name
+pack sbom download your-image-name
 ```
 
 You can also choose to download the `SBoM` from an image hosted in a remote registry, as opposed to an image hosted in a Docker daemon. You use the `--remote` flag to do so.
 
 ```bash
-pack download-sbom your-image-name --remote
+pack sbom download your-image-name --remote
 ```
 
-Cloud Native Buildpacks support `SBoM` metadata in [CycloneDX](https://cyclonedx.org/), [Syft](https://github.com/anchore/syft) or [Spdx](https://spdx.dev/) formats.  The following example demonstrates `syft` format `SBoM` metadata to the local filesystem.  The combined metadata from all of the `sbom.syft.json` files is the image `SBoM`. Where CycloneDX `SBoM` metadata is generated, the files are named `sbom.cdx.json`. Similarly, Spdx files are named `sbom.cdx.json`.
+The following example demonstrates  running `pack sbom download ...` on an image containing an `SBoM` in  `syft` format.  Running `pack sbom download ...` creates a `layers/sbom` directory and populates that directory with `sbom.syft.json` files.  The combined metadata from all of the `sbom.syft.json` files is the image `SBoM`. Where an image generates CycloneDX `SBoM` metadata, the files a named `sbom.cdx.json`. Similarly, Spdx files are named `sbom.cdx.json`.
 
 ```bash
-.
-└── layers
-    └── sbom
-        └── launch
-            └── paketo-buildpacks_ca-certificates
-                ├── helper
-                │   └── sbom.syft.json
-                └── sbom.syft.json
+layers
+  └── sbom
+      └── launch
+          └── paketo-buildpacks_ca-certificates
+              ├── helper
+              │   └── sbom.syft.json
+              └── sbom.syft.json
 ```
 
-The layer information is stored under the `io.buildpacks.lifecycle.metadata` label of the application image.
-```bash
-docker inspect your-image-name | jq -r '.[0].Config.Labels["io.buildpacks.lifecycle.metadata"]' |  jq -r .sbom
-{
-  "sha": "sha256:abcd1234defg5678"
-}
-```
+## Adding Bill of Materials
+
+[`pack`](https://github.com/buildpacks/pack), [`kpack`](https://github.com/pivotal/kpack) and [tekton](https://tekton.dev/) users will find that images created using these tools contain an SBoM.
+
+Developers writing a new buildpack or updating an existing buildpack should use the [Adding bill of materials][adding-bill-of-materials] tutorial to incorporate a `Bill-of-Materials` in their buildpack.
 
 [adding-bill-of-materials]: /docs/buildpack-author-guide/create-buildpack/adding-bill-of-materials/
