OpenChain-Project · KoukiHama · Apr 5, 2026 · May 20, 2026 · May 20, 2026 · May 25, 2026
diff --git a/Cross-Industry-SBOM-Quality-Guide/en/Cross-Industry-SBOM-Quality-Guide.md b/Cross-Industry-SBOM-Quality-Guide/en/Cross-Industry-SBOM-Quality-Guide.md
diff --git a/Cross-Industry-SBOM-Quality-Guide/en/README.md b/Cross-Industry-SBOM-Quality-Guide/en/README.md
@@ -10,4 +10,8 @@ Such a guide would:
 In this folder you will find a copy of the brainstorm document. 
 
 You can track the discussion via the OpenChain SBOM Study Group mailing list:
-https://lists.openchainproject.org/g/sbom
+https://lists.openchainproject.org/g/sbom
+
+Illustration files referenced by the guide are stored under `assets/images/sbom-document-quality-guide/` so that text changes and binary asset changes can be reviewed separately in GitHub. The current PNG assets are kept in this shared assets directory and have been flattened to a white background and enlarged for readability in GitHub light and dark modes; SVG source assets can be introduced later if an SVG-based publishing workflow is adopted.
+
+The guide entry point is `Cross-Industry-SBOM-Quality-Guide.md`. The body of the guide is split by chapter under `chapters/` to make review and maintenance easier.
diff --git a/...ges/sbom-document-quality-guide/01-scope-and-sbom-document-quality-overview.png b/...ges/sbom-document-quality-guide/01-scope-and-sbom-document-quality-overview.png
diff --git a/...s/images/sbom-document-quality-guide/fig-5-7-1-entire-software-supply-chain.png b/...s/images/sbom-document-quality-guide/fig-5-7-1-entire-software-supply-chain.png
diff --git a/...ity-guide/fig-5-7-2-three-entities-for-app-a-sbom-document-provided-to-user.png b/...ity-guide/fig-5-7-2-three-entities-for-app-a-sbom-document-provided-to-user.png
diff --git a/...guide/fig-5-7-3-independent-sbom-document-creation-by-entity-a-and-entity-c.png b/...guide/fig-5-7-3-independent-sbom-document-creation-by-entity-a-and-entity-c.png
diff --git a/...ment-quality-guide/fig-5-7-4-known-unknown-for-dynamic-runtime-dependencies.png b/...ment-quality-guide/fig-5-7-4-known-unknown-for-dynamic-runtime-dependencies.png
diff --git a/Cross-Industry-SBOM-Quality-Guide/en/chapters/00-preface.md b/Cross-Industry-SBOM-Quality-Guide/en/chapters/00-preface.md
@@ -0,0 +1,11 @@
+# 0. Preface
+
+The ”OpenChain SBOM Document Quality Guide” is a format-independent framework focused on the quality of the information contained within the document, such as its accuracy and integrity. It defines the essential quality requirements for achieving robust security assurance and license compliance, providing actionable steps to ensure the reliability of the content.  
+Key considerations and differences when adapting the Telco SBOM Guide to develop this guide:
+
+* **Compatibility**: This guide is designed for broad compatibility beyond the “OpenChain Telco SBOM Guide”. By conforming to this guide, an SBOM document not only meets the requirements of the “OpenChain Telco SBOM Guide” but also aligns with various other industry guidelines and regulatory standards.   
+* **Applicability**: This guide serves as a foundational quality standard applicable across all industries. Its language and requirements have been carefully refined to ensure universal relevance, making it a basic framework for any sector implementing SBOM Document.   
+* **Format Independence**: This guide is written to be independent of any specific SBOM Data format.  
+* **Quality Definition**: A new chapter discusses what constitutes a high-quality SBOM Document, explains its importance, and describes how such documents can be effectively utilized.  
+* **Best practices**: Guidance addressing various challenges in creating and managing SBOM Documents have been incorporated.  
+* **Practical Examples**: As part of these best practices, practical SBOM Document samples are provided in JSON format along with their corresponding schema.
diff --git a/...s-Industry-SBOM-Quality-Guide/en/chapters/01-scope-and-sbom-document-quality.md b/...s-Industry-SBOM-Quality-Guide/en/chapters/01-scope-and-sbom-document-quality.md
@@ -0,0 +1,16 @@
+# 1. Scope and SBOM Document Quality
+
+While the term **"SBOM"** generally refers to the information that constitutes a software's composition, this guide specifically focuses on the quality of the “**SBOM Document”**. In this guide, **”SBOM Document”** is a structured artifact – typically formatted in JSON and based on specifications such as SPDX or CycloneDX – that is exchanged between software distributors and recipients.
+
+![][image1]  
+This guide, “OpenChain SBOM Document Quality Guide”, establishes a clear framework for document quality – centered on security assurance and license compliance – and providing actionable requirements to achieve it.  
+Specifically, documents are evaluated based on following two essential aspects:
+
+* Adequacy of Security Assurance  
+  Assesses whether sufficient baseline information is provided to support an investigation that validates the software's security posture, even if, at the time of delivery, the document does not comprehensively cover all risks, vulnerabilities, or mitigation strategies.  
+* Effectiveness of License Compliance  
+  Assesses whether the necessary licensing details and usage terms for each software component are properly captured to ensure compliance with relevant laws and regulations.
+
+By adhering to this guide, stakeholders can ensure that the SBOM Documents exchanged within the software supply chain consistently meet high-quality standards.
+
+[image1]: <../assets/images/sbom-document-quality-guide/01-scope-and-sbom-document-quality-overview.png>
diff --git a/Cross-Industry-SBOM-Quality-Guide/en/chapters/02-terms-and-definitions.md b/Cross-Industry-SBOM-Quality-Guide/en/chapters/02-terms-and-definitions.md
@@ -0,0 +1,19 @@
+# 2. Terms and Definitions
+
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 \[[RFC2119](https://www.ietf.org/rfc/rfc2119.txt)\] \[[RFC8174](https://www.ietf.org/rfc/rfc8174.txt)\] when, and only when, they appear in all capitals, as shown here.
+
+| Terms | Definitions |
+| ----- | ----- |
+| Data Format | Data Format means the data format of the information in the SBOM. Possible Data Formats include SPDX, Cyclone DX, SWID, or other proprietary formats. |
+| Entity | Entity shall mean the legal entity (for profit, non profit, or natural person) that distributes software to third parties (e.g., other organizations or individuals). Entity does not include other group companies, or companies under common control of the Entity. |
+| SBOM | A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software. |
+| SBOM Type | An SBOM can be of one of the following types: Design, Source, Build, Analyzed, Deployed, Runtime. The definition of these types can be found in [the CISA document](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf). |
+| SPDX | SPDX (System Package Data Exchange) is the ISO standard ([ISO/IEC 5962:2021](https://www.iso.org/standard/81870.html)) for exchanging SBOM for a given software package, including associated license and copyright information. The standard was created by the Linux Foundation's [SPDX project](https://spdx.dev/). |
+| CycloneDX | CycloneDX is the ECMA standard ([ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/)) for a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.The standard was created by the OWASP Foundation, which is a nonprofit foundation for improving software security. |
+| OpenChain Specification ISO/IEC 5230:2020 | [ISO/IEC 5230:2020](https://www.iso.org/standard/81039.html) is an international standard that specifies the key requirements of a quality open source license compliance program in order to provide a benchmark that builds trust between organizations exchanging software solutions that incorporate open source software. The OpenChain standard is produced by [the OpenChain project](https://www.openchainproject.org/) of the Linux Foundation. |
+| OpenChain Specification ISO/IEC 18974:2023 | [ISO/IEC 18974:2023](https://www.iso.org/standard/86450.html) is an international standard from the OpenChain Project that provides requirements for open source software security assurance. It aims to improve software supply chain confidence by managing publicly known security vulnerabilities. Organizations can demonstrate compliance through self-certification or audits. |
+| Transitive dependencies | Transitive dependencies are all components that are necessary for the software to run. They include any dependency of the package that is not a direct dependency. |
+| Package URL(PURL) | Package URL (PURL) is a de facto standard to uniquely identify software packages. |
+| SBOM Document | A Software Bill of Materials (SBOM) document is the output of SBOM information in formats like JSON or YAML for the purpose of accurate information transfer between organizations. |
+| File Format | File Format means the format of SBOM Document. Possible File Formats include JSON, YAML, Excel Sheet etc. |
+| Software Package | A software package is a distributable unit that can consist of a single software component, such as code or a library, or a bundle of related components, including configuration files. It may also include information about dependencies and versioning, making installation, updates, and integration with other systems more efficient. This packaging approach helps streamline software development and maintenance processes. |