Merge pull request #256 from fvsamson/patch-1

[Various text strings] Unify spelling of "SBOM", enhance wording and grammar, rectify typos etc.

Compliance.md

@@ -1,17 +1,16 @@
 # Compliance Reports
 
-sbomqs now helps generating compliance reports for your sboms. We support industry standard requirements
-like NTIA minimum elements, BSI CRA TR-03183 v1.1 and OWASP SCVS. 
+sbomqs now helps generating compliance reports for your SBOMs. We support industry standard requirements
+like NTIA minimum elements, BSI TR-03183-2 v1.1 and OWASP SCVS. 
 
 The goal of compliance reports is to verify if the sbom file adheres to these standard, before they are distributed. 
 
-We have explained below how sbomqs approaches compliance reports for BSI CRA TR-03183 v1.1. We are not going to explain
-the spec here, but rather go into our intepretation of it. 
+We have explained below how sbomqs approaches compliance reports for BSI TR-03183-2 v1.1. We are not going to explain
+this technical guideline here, but rather go into our intepretation of it. 
 
+The [BSI TR-03183-2 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf) specifies mandatory properties for an SBOM. Below is how we have derived all the values.
 
-The [BSI CRA TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5) which is in draft currently specifies that the compilation of an SBOM is mandatory. Below is how we have derived all the values.
-
-| TR-03183 | TR-03183 field | CycloneDx | SPDX(2.3) | Notes |
+| TR-03183-2 | TR-03183-2 field | CycloneDx | SPDX(2.3) | Notes |
 | :---     | :---    |     :---      |          :--- | :--- |
 |4. SBOM formats| `specification`  | BomFormat     | SPDXversion    | CycloneDX and SPDX only |
 || `specification version`  | SpecVersion     | SPDXversion    | CycloneDX 1.4 and above, SPDX 2.3 and above |
@@ -30,4 +29,4 @@ The [BSI CRA TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/
 | | `source code uri`| component->externalReferences->type (vcs) | no-deterministic-field | |
 | | `URI of the executable form`| component->externalReferences->type (distribution/distribution-intake) | PackageDownloadLocation | |
 | | `hash of source code`| no-deterministic-field | package->PackageVerificationCode | |
-| | `other uniq identifiers`| component->cpe, component->purl| package->externalReference->security (cpe/purl) | |
+| | `other uniq identifiers`| component->cpe, component->purl| package->externalReference->security (cpe/purl) | |

README.md

@@ -1,51 +1,51 @@
 <!--
  Copyright 2023 Interlynk.io
- 
+
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at
- 
+
      http://www.apache.org/licenses/LICENSE-2.0
- 
+
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->
 
-# `sbomqs`: Quality metrics for SBOMs 
+# `sbomqs`: Quality metrics for SBOMs
 
 [![Go Reference](https://pkg.go.dev/badge/github.com/interlynk-io/sbomqs.svg)](https://pkg.go.dev/github.com/interlynk-io/sbomqs)
 [![Go Report Card](https://goreportcard.com/badge/github.com/interlynk-io/sbomqs)](https://goreportcard.com/report/github.com/interlynk-io/sbomqs)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/interlynk-io/sbomqs/badge)](https://securityscorecards.dev/viewer/?uri=github.com/interlynk-io/sbomqs)
 ![GitHub all releases](https://img.shields.io/github/downloads/interlynk-io/sbomqs/total)
 
-`sbomqs` is your primary tool to assess the quality of sbom's. The higher the score the more consumable your sboms are. 
+`sbomqs` is your primary tool to assess an SBOM's quality. The higher the score the more consumable your SBOMs are.
 
 ```console
 brew tap interlynk-io/interlynk
 brew install sbomqs
 ```
 
-other installation [options](#installation).
+Other [installation options](#installation).
 
-# SBOM Card 
+# SBOM Card
 [![SBOMCard](https://api.interlynk.io/api/v1/badges.svg?type=hcard&project_group_id=7f52093e-3d78-49cb-aeb1-6c977de9442e
 )](https://app.interlynk.io/customer/products?id=7f52093e-3d78-49cb-aeb1-6c977de9442e&signed_url_params=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqUmhPRGRoTjJNNExXSXpZekl0TkdVeE9TMDVNRGxoTFRKbFpHRmlPR1ZoWldReVl5ST0iLCJleHAiOm51bGwsInB1ciI6InNoYXJlX2x5bmsvc2hhcmVfbHluayJ9fQ==--daf6585ecf8013a0b2713a5cebb28c140d29eed904b15c84c0566b9ddd334e71)
 
 # Usage
-#### Quality Score for a single SBOM.
+#### Quality Score for a single SBOM
 ```sh
 sbomqs score <sbom-file>
 ```
 
-#### Compliance Report: CRA TR-03183 for an sbom
+#### Compliance Report: BSI TR-03183-2
 ```sh
 sbomqs compliance -c samples/photon.spdx.json
 ```
 
-#### Quality Score with a shareable link at [sbombenchmark.dev](https://sbombenchmark.dev/).  
+#### Quality Score with a shareable link at [sbombenchmark.dev](https://sbombenchmark.dev/)
 ```sh
 sbomqs share <sbom-file>
 ```
@@ -60,7 +60,7 @@ sbomqs share cdxgen-9.5.1_alpine-latest.cdx.json
 ShareLink: https://sbombenchmark.dev/user/score?id=a97af1bf-4c9d-4a55-8524-3d4bcee0b9a4
 ```
 
-#### Quality Score for your dependency track projects.
+#### Quality Score for your dependency track projects
 ```sh
 sbomqs dtrackScore  -u <dt-host-url> -k <dt-api-key> <project-uuid>
 ```
@@ -101,31 +101,31 @@ Status: Downloaded newer image for ghcr.io/interlynk-io/sbomqs:latest
 ```
 
 # What is a high quality SBOM
-A high quality SBOM should allow for managements of assets, license, vulnerabilities, Intellectual Property, configuration management and incident response. 
+A high quality SBOM should allow for managements of assets, license, vulnerabilities, Intellectual Property, configuration management and incident response.
 
-A quality SBOM is one that is accurate, complete, and up-to-date. There are many factors that go into constructing a high quality sbom
-1. Identify & list all components of your product along with their transitive dependencies. 
-2. List all your components along with their versions & content checksums. 
-3. Include accurate component licenses. 
-4. Include accurate lookup identifiers e.g. [purls](https://github.com/package-url/purl-spec) or [CPEs](https://csrc.nist.gov/publications/detail/nistir/7698/final). 
-5. Quality SBOM depends a lot upon which stage of the lifecycle it has been generated at, we believe closer to the build time is ideal. 
-6. Signed sboms.
-7. Should layout information based on industry standard specs like CycloneDX, SPDX and SWID. 
+A quality SBOM is one that is accurate, complete, and up-to-date. There are many factors that go into constructing a high quality SBOM.
+1. Identify & list all components of your product along with their transitive dependencies.
+2. List all your components along with their versions & content checksums.
+3. Include accurate component licenses.
+4. Include accurate lookup identifiers e.g. [purls](https://github.com/package-url/purl-spec) or [CPEs](https://csrc.nist.gov/publications/detail/nistir/7698/final).
+5. Quality SBOM depends a lot upon which stage of the lifecycle it has been generated at, we believe closer to the build time is ideal.
+6. Signed SBOMs.
+7. Should layout information based on industry standard specs like CycloneDX, SPDX and SWID.
 
 
 # Goals
 
-The main goals of the utility are
-1. Make it easy and fast to assess the quality of your sbom's, generated or acquired. 
-2. Support all well-known SBOM standards. 
+The main goals of the utility are:
+1. Make it easy and fast to assess the quality if an SBOM, generated or acquired.
+2. Support all well-known SBOM standards.
 3. Scoring output should be customizable.
-4. Scoring output should be consumable. 
+4. Scoring output should be consumable.
 
-## Goal #1: Easy & Fast 
+## Goal #1: Easy & Fast
 
-SBOM can be generated using both commercial and open-source tooling. As consumers of SBOM we wanted a fast & easy way to assess the quality of an SBOM. An SBOM with a low score, needs to be re-evaluated or rejected. 
+SBOMs can be generated using both commercial and open-source tooling. As consumers of SBOMs we wanted a fast and easy way to assess the quality of an SBOM. An SBOM with a low score should be re-evaluated or rejected.
 
-`sbomqs` makes getting a quick assessment effortless. Just point. 
+`sbomqs` makes getting a quick assessment effortless. Just point.
 
 ```sh
 sbomqs score samples/julia.spdx.tv -b
@@ -136,57 +136,57 @@ sbomqs score samples/julia.spdx.tv -b
 
 ## Goal #2: SBOM Standards
 
-NTIA recommends the following standards for SBOM's
+The NTIA recommends these standards for SBOMs:
 - SPDX
 - CycloneDX
 - SWID
 
-`sbomqs` supports SPDX and CycloneDX formats. Support for SWID is incoming. 
+`sbomqs` supports SPDX and CycloneDX formats. Support for SWID is incoming.
 
-In addition to supporting the SBOM formats, we support various file formats 
+In addition to supporting these SBOM formats, we support various formats for data representation.
 
 - **SPDX**: json, yaml, rdf and tag-value
 - **CycloneDX**: json and xml
 
-## Goal #3: Customizable output 
+## Goal #3: Customizable output
 
-`sbomqs` scoring output can be customized by category or by feature. We understand everyone needs for scoring would not match ours, we have added customizability around which categories or features should or should not be included for scoring. 
+`sbomqs` scoring output can be customized by category or by feature. We understand everyone's needs for scoring differ, hence we allow to customize which categories or features should rsp. should not be included for scoring.
 
-#### Category Scoring
-We have categorized our current features into the following categories 
-- **NTIA-minimum-elements**: Includes features, which help you quickly understand if your sbom's comply with NTIA minimum element guidelines. 
-- **Structural**: We check if the SBOM complies with the underlying specifications, be it [SPDX](https://spdx.dev/specifications/) or [CycloneDX](https://cyclonedx.org/specification/overview/)
-- **Semantic**: We check meaning of SBOM fields specific to their standard. 
-- **Quality**: Help determine the quality of the data present in the sbom.
-- **Sharing**: Helps determine if the SBOM can be shared. 
+#### Category scoring
+We have categorized our current features as follows:
+- **NTIA-minimum-elements**: Includes features, which help you to quickly understand if an SBOM complies with NTIA's minimum element guidelines.
+- **Structural**: Checks if an SBOM complies with the underlying specifications, be it [SPDX](https://spdx.dev/specifications/) or [CycloneDX](https://cyclonedx.org/specification/overview/).
+- **Semantic**: Checks meaning of SBOM fields specific to their standard.
+- **Quality**: Helps to determine the quality of the data in an SBOM.
+- **Sharing**: Helps to determine if an SBOM can be shared.
 - [OWASP BOM Maturity Model](https://docs.google.com/spreadsheets/d/1wu6KbgwuokC5357ikrhFN-QkwQ7Pyb6z0zE80sTNNus/edit#gid=0): Work in progress
 
 
 #### Feature Scoring
 We allow running any single feature to be tested against an SBOM.
 
-1. `sbomqs generate features`, this generated a features.yaml file 
-2. Open the features.yaml file and select the categories or features that you would like enabled 
-3. Save & close the file.
-4. `sbomqs score  ~/data/app.spdx.json  --configpath features.yaml` use the yaml file to apply the changes. 
+1. `sbomqs generate features` generates a features.yaml file.
+2. Open the features.yaml file and select the categories or features that you want to be enabled.
+3. Save and close the file.
+4. `sbomqs score  ~/data/app.spdx.json  --configpath features.yaml` use the features.yaml file to apply the changes.
 
-For the list of features currently supported, visit [features.md](./Features.md). 
+For the list of features currently supported, visit [features.md](./Features.md).
 
-## Goal #4: Consumable output 
+## Goal #4: Consumable output
 
-`sbomqs` provides its scoring output in basic and detailed forms. 
+`sbomqs` provides its scoring output in basic and detailed forms.
 
-Basic output is great for a quick check of the quality of our sboms. Once you get a good sense of how the tool works, this could also be your primary way of consuming data from this tool. 
+The basic output is great for a quick check of the quality of an SBOMs. Once you get a good sense of how the tool works, this can also becom the primary way of consuming data from this tool.
 
-```sh 
+```sh
 6.0     samples/blogifier-dotnet-SBOM.json
 6.9     samples/julia.spdx.json
 7.6     samples/sbom.spdx.yaml
 ```
 
-Detailed output is presented in tabular and json formats currently 
+Detailed output is presented in tabular and json formats, currently:
 
-Tabular format: this format has been inspired by oss scorecard project. 
+Tabular format: this format has been inspired by oss scorecard project.
 ```sh
 SBOM Quality Score: 6.0 samples/blogifier-dotnet-SBOM.json
 +-----------------------+--------------------------------+-----------+--------------------------------+
@@ -238,11 +238,11 @@ json format
 ```
 
 # Compliance Reports
-sbomqs can now produce compliance reports for industry standard requirements. Currently we support [BSI TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5). More details about the CRA
-requirements are avaliable [here](./Compliance.md). 
+sbomqs can produce compliance reports for industry standard requirements. Currently we support [BSI TR-03183-2 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf). More details about its
+requirements are [avaliable here](./Compliance.md).
 
-## Reports 
-- [BSI TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5)
+## Reports
+- [BSI TR-03183-2 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf)
 - [NTIA minimum element](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf) - Coming soon.
 - [OWASP SCVS](https://scvs.owasp.org/bom-maturity-model/) - Coming soon.
 
@@ -283,14 +283,14 @@ Example of a BSI report
 
 
 # SBOM Samples
-- A sample set of SBOM is present in the [samples](https://github.com/interlynk-io/sbomqs/tree/main/samples) directory above
+- A sample set of SBOMs is present in the [samples](https://github.com/interlynk-io/sbomqs/tree/main/samples) directory above
 - [SBOM Benchmark](https://www.sbombenchmark.dev) is a repository of SBOM and quality score for most popular containers and repositories
 - [SBOM Explorer](https://github.com/interlynk-io/sbomex) is a command line utility to search and pull SBOMs
 - [SBOM Assembler](https://github.com/interlynk-io/sbomasm) is a command line utility for assembling SBOMs into product SBOMs
 
-# Installation 
+# Installation
 
-## Using Prebuilt binaries 
+## Using Prebuilt binaries
 
 ```console
 https://github.com/interlynk-io/sbomqs/releases
@@ -310,40 +310,39 @@ go install github.com/interlynk-io/sbomqs@latest
 
 ## Using repo
 
-This approach involves cloning the repo and building it. 
+This approach involves cloning the repo and building it.
 
 1. Clone the repo `git clone [email protected]:interlynk-io/sbomqs.git`
-2. `cd` into `sbomqs` folder 
+2. `cd` into `sbomqs` folder
 3. make build
 4. To test if the build was successful run the following command `./build/sbomqs version`
 
 
 # Contributions
-We look forward to your contributions, below are a few guidelines on how to submit them 
-
+We look forward to your contributions, below are a few guidelines on how to submit them:
 - Fork the repo
 - Create your feature/bug branch (`git checkout -b feature/new-feature`)
 - Commit your changes (`git commit -am "awesome new feature"`)
 - Push your changes (`git push origin feature/new-feature`)
 - Create a new pull-request
 
-# Other SBOM Open Source tools
-- [SBOM Assembler](https://github.com/interlynk-io/sbomasm) - A tool to compose a single SBOM by combining other (part) SBOMs
+# Other Open Source Software tools for SBOMs
+- [SBOM Assembler](https://github.com/interlynk-io/sbomasm) - A tool to compose a single SBOM by combining other SBOMs or parts of them
 - [SBOM Quality Score](https://github.com/interlynk-io/sbomqs) - A tool for evaluating the quality and completeness of SBOMs
 - [SBOM Search Tool](https://github.com/interlynk-io/sbomagr) - A tool to grep style semantic search in SBOMs
-- [SBOM Explorer](https://github.com/interlynk-io/sbomex) - A tool for discovering and downloading SBOM from a public repository
+- [SBOM Explorer](https://github.com/interlynk-io/sbomex) - A tool for discovering and downloading SBOMs from a public repository
 
-# Contact 
+# Contact
 We appreciate all feedback. The best ways to get in touch with us:
 - ❓& 🅰️ [Slack](https://join.slack.com/t/sbomqa/shared_invite/zt-2jzq1ttgy-4IGzOYBEtHwJdMyYj~BACA)
 - :phone: [Live Chat](https://www.interlynk.io/#hs-chat-open)
 - 📫 [Email Us](mailto:[email protected])
-- 🐛 [Report a bug or enhancement](https://github.com/interlynk-io/sbomex/issues) 
+- 🐛 [Report a bug or enhancement](https://github.com/interlynk-io/sbomex/issues)
 - :x: [Follow us on X](https://twitter.com/InterlynkIo)
 
 # Stargazers
 
-If you like this project, please support us by starring it. 
+If you like this project, please support us by starring it.
 
 [![Stargazers](https://starchart.cc/interlynk-io/sbomqs.svg)](https://starchart.cc/interlynk-io/sbomqs)
 

cmd/compliance.go

@@ -24,13 +24,13 @@ import (
 
 var complianceCmd = &cobra.Command{
 	Use:   "compliance <sbom file>",
-	Short: "compliance command checks the sbom for compliance with sbom standards",
-	Long: `Check if you sbom complies with various sbom standards like NTIA minimum elements, CRA TR-03183.
-	Generate a compliance report for the sbom file.
+	Short: "compliance command checks an SBOM for compliance with SBOM standards",
+	Long: `Check if your SBOM complies with various SBOM standards like NTIA minimum elements, BSI TR-03183-2.
+	Generate a compliance report for an SBOM file.
 	`,
 	Args: func(cmd *cobra.Command, args []string) error {
 		if err := cobra.ExactArgs(1)(cmd, args); err != nil {
-			return fmt.Errorf("compliance requires a single argument, the path to the sbom file")
+			return fmt.Errorf("compliance requires a single argument, the path to an SBOM file")
 		}
 
 		return nil
@@ -82,6 +82,6 @@ func init() {
 
 	//Standards control
 	// complianceCmd.Flags().BoolP("ntia", "n", false, "check for NTIA minimum elements compliance")
-	complianceCmd.Flags().BoolP("cra", "c", false, "CRA TR-03183 v1.1 compliance")
+	complianceCmd.Flags().BoolP("cra", "c", false, "BSI TR-03183-2 v1.1 compliance")
 	// complianceCmd.MarkFlagsMutuallyExclusive("ntia", "cra")
 }