Final touches on README, LICENSE and added CREDITS file

Author: mrutkows

CREDITS.md

@@ -0,0 +1,3 @@
+# IBM Donation to OWASP Foundation
+
+The sbom-utility was originally designed, created and solely developed by Matt Rutkowski ([email protected]) while working for IBM Corporation (http://www.ibm.com/) under an Apache 2 license and donated in January 2023 to the OWASP Foundation's CycloneDX project.

NOTICE.txt

@@ -1,5 +1,9 @@
-sbom-utility
-© Copyright IBM Corporation 2022, 2023.
+OWASP CycloneDX/sbom-utility
+@ Copyright 2023-present OWASP Foundation
+
+This product includes software developed at
+The OWASP Foundation's CycloneDX project (https://owasp.org/www-project-cyclonedx/).
 
-This repository includes software developed by
-Matt Rutkowski, working for IBM
+The Initial Developer of the sbom-utility
+was Matt Rutkowski ([email protected]), working for IBM Corporation (http://www.ibm.com/)
+© Copyright IBM Corporation 2022, 2023.

README.md

@@ -2,7 +2,7 @@
 
 # sbom-utility
 
-This utility is designed to be an API platform used *primarily to validate CycloneDX or SPDX SBOMs* (encoded in JSON format) against versioned JSON schemas as published by their respective organizations.
+This utility is designed to be an API platform used primarily to **validate CycloneDX or SPDX SBOMs** (encoded in JSON format) against versioned JSON schemas as published by their respective organizations.
 
 More importantly, the utility enables validation of SBOMs against derivative, "customized" schemas that can be used to enforce further data requirements not captured in the "base" schemas (e.g., industry or company-specific schemas).
 
@@ -16,13 +16,17 @@ In the future, we envision additional kinds of SBOMs (e.g., Hardware, Machine Le
 
 The utility additionally prioritizes commands that help provide insight into contents of the SBOM to search for and report on missing (i.e., completeness) or specific data requirements (e.g.,   organization or customer-specific requirements).  In general, the goal of these prioritized commands is to support data verification for many of the primary SBOM use cases as identified by the CycloneDX community (see https://cyclonedx.org/use-cases/).  Functional development has focused on those use cases that verify inventory (resource identity), legal compliance (e.g., license), and security analysis (e.g., vulnerability) which are foundational to any SBOM.
 
-Initially, such functionality is reflected in the [license](#license), [resource](#resource) and [query](#query) commands which to be able to extract or produce formatted reports from inherent knowledge of the CycloneDX format.
+##### Featured commands
+
+In addition to the [validate](#validate) command, priority functionality is reflected in the [license](#license), [resource](#resource) and [query](#query) commands which to be able to extract or produce formatted reports from inherent knowledge of the CycloneDX format.
 
 The `license` command, for example, has many options and configurations to not only produce raw JSON output of license data, but also produce summarized reports in many human-readable formats (e.g., text, csv, markdown). Furthermore, the license command is able to apply configurable "usage policies" for the licenses identified in the reports.
 
-The `query` command functionality is geared towards an SBOM format-aware, SQL-style query that could be used to generate customized reports/views into the SBOM data for any use case when other resource-specific commands are not provided or fall short.
+The `resource` command is designed to better understand what resources are being referenced as part of the SBOM's inventory and/or dependency graph along with required fields such as name, version and bom-ref.
+
+The `query` command functionality is geared towards an SBOM format-aware (CycloneDX-only for now), SQL-style query that could be used to generate customized reports/views into the SBOM data for any use case when other resource-specific commands are not provided or fall short.
 
-Further commands and reports are planned that prioritize use cases that enable greater insight and analysis of the legal, security and compliance data captured in the SBOM such as **vulnerability** (VEX) information and resource **signage** (identifying resource fingerprints).
+Further commands and reports are planned that prioritize use cases that enable greater insight and analysis of the legal, security and compliance data captured in the SBOM such as **vulnerability** (VEX) information and resource **signage** (e.g., verifying resource identities by hashes or fingerprints).
 
 #### Design considerations