Sync guide content from Google Docs and externalize image assets for GitHub-friendly maintenance#18
Open
KoukiHama wants to merge 3 commits into
Conversation
Signed-off-by: Kouki Hama <hamakouki0818@gmail.com>
KoukiHama
force-pushed
the
update-sbom-quality-guide-assets
branch
from
e30ccf8 to
3881235
Compare
Signed-off-by: Kouki Hama <hamakouki0818@gmail.com>
NorioKobota
requested changes
May 20, 2026
Member
NorioKobota
left a comment
NorioKobota
left a comment
There was a problem hiding this comment.
Reviewed 02- and will continue to review.
| @@ -0,0 +1,11 @@ | |||
| # 0\. Preface {#0.-preface} | |||
Member
There was a problem hiding this comment.
What is the purpose of the embedded '{#0.-preface}'? anchor?
There was a problem hiding this comment.
This seems to be a Pandoc's Markdown extension.
We should be need to decide whether or not to use Markdown extensions.
| @@ -0,0 +1,16 @@ | |||
| # 1\. Scope and SBOM Document Quality {#1.-scope-and-sbom-document-quality} | |||
|
|
||
| While the term **"SBOM"** generally refers to the information that constitutes a software's composition, this guide specifically focuses on the quality of the “**SBOM Document”**. In this guide, **”SBOM Document”** is a structured artifact – typically formatted in JSON and based on specifications such as SPDX or CycloneDX – that is exchanged between software distributors and recipients. | ||
|
|
||
| ![][image1] |
Member
There was a problem hiding this comment.
Memo: Transparent image is hard to see in dark mode. Will fix soon.
|
|
||
| * Adequacy of Security Assurance | ||
| Assesses whether sufficient baseline information is provided to support an investigation that validates the software's security posture, even if, at the time of delivery, the document does not comprehensively cover all risks, vulnerabilities, or mitigation strategies. | ||
| * Effectiveness of License Compliance |
Member
There was a problem hiding this comment.
This bullet should be aligned.
| * Effectiveness of License Compliance | ||
| Assesses whether the necessary licensing details and usage terms for each software component are properly captured to ensure compliance with relevant laws and regulations. | ||
|
|
||
| By adhering to this guide, stakeholders can ensure that the SBOM Documents exchanged within the software supply chain consistently meet high-quality standards. |
|
|
||
| By adhering to this guide, stakeholders can ensure that the SBOM Documents exchanged within the software supply chain consistently meet high-quality standards. | ||
|
|
||
| [image1]: <../assets/images/sbom-document-quality-guide/01-scope-and-sbom-document-quality-overview.png> |
Member
There was a problem hiding this comment.
Images should probably go under the MD file's directory, but let's discuss.
| @@ -0,0 +1,19 @@ | |||
| # 2\. Terms and Definitions {#2.-terms-and-definitions} | |||
| | SPDX | SPDX (System Package Data Exchange) is the ISO standard ([ISO/IEC 5962:2021](https://www.iso.org/standard/81870.html)) for exchanging SBOM for a given software package, including associated license and copyright information. The standard was created by the Linux Foundation's [SPDX project](https://spdx.dev/). | | ||
| | CycloneDX | CycloneDX is the ECMA standard ([ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/)) for a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.The standard was created by the OWASP Foundation, which is a nonprofit foundation for improving software security. | | ||
| | OpenChain Specification ISO/IEC 5230:2020 | [ISO/IEC 5230:2020](https://www.iso.org/standard/81039.html) is an international standard that specifies the key requirements of a quality open source license compliance program in order to provide a benchmark that builds trust between organizations exchanging software solutions that incorporate open source software. The OpenChain standard is produced by [the OpenChain project](https://www.openchainproject.org/) of the Linux Foundation. | | ||
| | OpenChain Specification ISO/IEC 18974:2023 | [ISO/IEC MO 18974:2023](https://www.iso.org/standard/86450.html) is an international standard from the OpenChain Project that provides requirements for open source software security assurance. It aims to improve software supply chain confidence by managing publicly known security vulnerabilities. Organizations can demonstrate compliance through self-certification or audits. | |
Member
There was a problem hiding this comment.
[ISO/IEC MO 18974:2023]
Remove "MO".
xoxyuxu
reviewed
May 20, 2026
| * OpenChain Telco SBOM Guide Version 1.1 | ||
| [https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain-Telco-SBOM-Guide\_EN.md](https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain-Telco-SBOM-Guide_EN.md) | ||
|
|
||
| ## |
xoxyuxu
reviewed
May 20, 2026
Comment on lines
+54
to
+57
| ## {#heading} | ||
|
|
||
| ## | ||
|
|
There was a problem hiding this comment.
Empty headers should be removed.
// Does original document has empty header ?
xoxyuxu
reviewed
May 20, 2026
|
|
||
| ## | ||
|
|
||
| ## 6.2 Cross-Regulation Comparison Table {#heading} |
There was a problem hiding this comment.
If we use Pandoc's Markdown extension:
{#heading} should be {#6\.2-cross-regulation-comparison-table}
If we don't use it, remove {#heading}.
xoxyuxu
reviewed
May 20, 2026
Comment on lines
+79
to
+80
| ### | ||
|
|
xoxyuxu
reviewed
May 20, 2026
Comment on lines
+147
to
+148
| ## | ||
|
|
|
The files in |
xoxyuxu
reviewed
May 20, 2026
Comment on lines
+261
to
+268
| 1. Keywords for describing the current state of a component | ||
| 1. “contains” / ”composition-assemblies” | ||
| Indicates that a component includes or is composed of another. | ||
| 2. “dependsOn” / “composition-dependencies” | ||
| Indicates that a component depends on or requires another. | ||
| 2. Keywords for describing the origin of a component | ||
| 1. “generatedFrom” / “components-pedigree” | ||
| Indicates that a component was generated (replicated, modified, or built) from another. |
There was a problem hiding this comment.
The second row of the list syntax contains numbers. But the original document uses letters.
case 1: use html tag <ol type="a"><li>...
case 2: write directly a., b....
case 3: ignore about this difference.
xoxyuxu
reviewed
May 20, 2026
Comment on lines
+60
to
+61
| | SBOM Document for ‘application A’ from **Vendor1** | file-level | All dependency shall be recorded and provided at the file-level. | **Maker1** needs to convert file-level information to package-level for application A. | | ||
| | SBOM Document for ‘application A’ from **Vendor1** | package-level | **Maker1** needs to decompose package-level information and convert them to file-level. | All dependency shall be recorded and provided at the package-level. | |
There was a problem hiding this comment.
All dependency -> All dependencies
This fix is figured out by comment in the original document.
Commented by Saquib Saifee.
If this pull request is for translation only and not included above comment's fixes, ignore this.
no-ta
reviewed
May 21, 2026
There was a problem hiding this comment.
3.1.2 Rationale {#3.1.2-rationale}
"improved the document quality." -> "improves the document quality."
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR refreshes the English SBOM Document Quality Guide using the latest Markdown exported from the Google Docs source document, and restructures the GitHub file layout to make the guide easier to review, maintain, and update.
Changes
Cross-Industry-SBOM-Quality-Guide/en/chapters/.Cross-Industry-SBOM-Quality-Guide.mdinto an entry-point / table-of-contents file that links to the chapter files.Rationale
This makes the document easier to work with in GitHub:
Source
The original editable document is maintained here:
https://docs.google.com/document/d/1iuXX8j10N70dfce1-CZFWhW6S2jEqc--flcCgXMMdjg/edit?pli=1&tab=t.0
Public comments / Q&A
The public comments and Q&A tracking sheet is maintained here:
https://docs.google.com/spreadsheets/d/1tooDiuAixOn9enyA_zvzRrEgPi4Kyq-u/edit?usp=sharing&ouid=105671686755504216583&rtpof=true&sd=true