SBOM Document Quality Guide
OpenChain SBOM Study Group
Why a New Guide?
https://www.msit.go.kr/
bbs/view.do?sCode=user&
mId=113&mPid=238&bbsSeq
No=94&nttSeqNo=3184474
https://www.cert-
in.org.in/PDF/Technica
lGuidelines-on-
SBOM,QBOM&CBOM,AIBOM_a
nd_HBOM_ver2.0.pdf
Many regulations, standards, and guidelines exist, each imposing slightly different requirements.
SBOM Implementation Reality:
https://sched.co/1jKD8 Lack of standardized detailed information causes inconsistencies
and high production costs/effort in SBOM creation
Guide on Google Docs:
https://docs.google.com/document/d/1iuXX8j10N70dfce1-CZFWhW6S2jEqc--
flcCgXMMdjg/edit?usp=sharing
Meeting minutes etc. for SBOM Study Group: https://github.com/OpenChain-Project/SBOM-sg/
Meeting schedule: https://openchainproject.org/participate
Chapter 1 - Scope & SBOM Document Quality
PUSH
PULL
Team X
・・・
Team A
product
Open Source Communities
Other Companies
RECEIVE
A Company
End User
Customers
Other Companies
DISTRIBUTE
SBOM
Document
SBOM
Document
SBOM
Management
Key SBOM Requirements
Chapter 5.1 – Ensuring Accurate & Consistent “Value” Information
Chapter 5.7 - Clarifying the Scope of Descriptions and Defining
Accountability
Chapter 5.8 - Unified Expression of Inter-Component Relationships
Owada-san
“Set Vendor” knows d-lib.so
will be linked, but they can't
determine a unique ID (the
actual d-lib version etc. as
well) for the SBOM element
because it isn't part of their
distribution.
https://docs.google.com/presentation/d/1T0mifMjTbiOoxPMv-
04rHV42mcRw9SSQocAq1USgEZg/edit?slide=id.g36f74397063_0_5#slide=id.g36f74397063_0_5
https://github.com/OpenChain-Project/OpenChain-
JWG/blob/master/subgroups/sbom-sg/outcomes/QualityGuide/SBOM-
Document-Quality-Guide.ja.md#58-
%E9%83%A8%E5%93%81%E9%96%93%E9%96%A2%E4%BF%82%E6%80%A7%E3%81%A
E%E7%B5%B1%E4%B8%80%E7%9A%84%E8%A1%A8%E7%8F%BE
Chapter 5.8 – cont.
SBOM Attributes Comparison (Overview)
[WIP] SBOM element
comparison
https://docs.google.com/
spreadsheets/d/1SuGv1
L3H_-
Iq6dmH7DnjDgAa90LC
RnoHB3DTfuWh0Jg/edi
t?gid=1936044844#gid=
1936044844
https://sched.co/1jKD8
Ninjyouji-san
SBOM JSON, JSON-LD examples and Schema
https://github.com/OpenChain-Project/SBOM-sg-SEPIA
CISA Minimum Elements for a Software Bill of Materials - Updated
https://www.cisa.gov/resources-tools/resources/2025-minimum-
elements-software-bill-materials-sbom
Name and Version
7 Recommendations to Improve SBOM Quality
https://www.sei.cmu.edu/blog/7-recommendations-to-improve-
sbom-quality/
Join OpenChain SBOM study group!
The regular meeting will be held
on 4th Wednesday of every
month.
We would appreciate your
participation!
https://lists.openchainproject.org/
g/sbom
https://github.com/OpenChain-Project/SBOM-sg
Questions?
SBOM Document Quality Guide - OpenChain SBOM Study Group
SBOM Document Quality Guide - OpenChain SBOM Study Group
SBOM Document Quality Guide - OpenChain SBOM Study Group
SBOM Document Quality Guide - OpenChain SBOM Study Group

SBOM Document Quality Guide - OpenChain SBOM Study Group

  • 1.
    SBOM Document QualityGuide OpenChain SBOM Study Group
  • 2.
    Why a NewGuide? https://www.msit.go.kr/ bbs/view.do?sCode=user& mId=113&mPid=238&bbsSeq No=94&nttSeqNo=3184474 https://www.cert- in.org.in/PDF/Technica lGuidelines-on- SBOM,QBOM&CBOM,AIBOM_a nd_HBOM_ver2.0.pdf Many regulations, standards, and guidelines exist, each imposing slightly different requirements. SBOM Implementation Reality: https://sched.co/1jKD8 Lack of standardized detailed information causes inconsistencies and high production costs/effort in SBOM creation
  • 3.
    Guide on GoogleDocs: https://docs.google.com/document/d/1iuXX8j10N70dfce1-CZFWhW6S2jEqc-- flcCgXMMdjg/edit?usp=sharing Meeting minutes etc. for SBOM Study Group: https://github.com/OpenChain-Project/SBOM-sg/ Meeting schedule: https://openchainproject.org/participate
  • 4.
    Chapter 1 -Scope & SBOM Document Quality PUSH PULL Team X ・・・ Team A product Open Source Communities Other Companies RECEIVE A Company End User Customers Other Companies DISTRIBUTE SBOM Document SBOM Document SBOM Management
  • 5.
  • 6.
    Chapter 5.1 –Ensuring Accurate & Consistent “Value” Information
  • 7.
    Chapter 5.7 -Clarifying the Scope of Descriptions and Defining Accountability
  • 8.
    Chapter 5.8 -Unified Expression of Inter-Component Relationships Owada-san “Set Vendor” knows d-lib.so will be linked, but they can't determine a unique ID (the actual d-lib version etc. as well) for the SBOM element because it isn't part of their distribution. https://docs.google.com/presentation/d/1T0mifMjTbiOoxPMv- 04rHV42mcRw9SSQocAq1USgEZg/edit?slide=id.g36f74397063_0_5#slide=id.g36f74397063_0_5
  • 9.
  • 10.
    SBOM Attributes Comparison(Overview) [WIP] SBOM element comparison https://docs.google.com/ spreadsheets/d/1SuGv1 L3H_- Iq6dmH7DnjDgAa90LC RnoHB3DTfuWh0Jg/edi t?gid=1936044844#gid= 1936044844 https://sched.co/1jKD8 Ninjyouji-san
  • 11.
    SBOM JSON, JSON-LDexamples and Schema https://github.com/OpenChain-Project/SBOM-sg-SEPIA
  • 12.
    CISA Minimum Elementsfor a Software Bill of Materials - Updated https://www.cisa.gov/resources-tools/resources/2025-minimum- elements-software-bill-materials-sbom
  • 13.
  • 14.
    7 Recommendations toImprove SBOM Quality https://www.sei.cmu.edu/blog/7-recommendations-to-improve- sbom-quality/
  • 15.
    Join OpenChain SBOMstudy group! The regular meeting will be held on 4th Wednesday of every month. We would appreciate your participation! https://lists.openchainproject.org/ g/sbom https://github.com/OpenChain-Project/SBOM-sg
  • 16.