Skip to main content

SBOM Standards

SPDX (Software Package Data Exchange)

SPDX is a Linux Foundation open standard for communicating software bill of materials (SBOM) information, including components, licences, copyrights, and security references. SCANOSS supports SPDX Lite as an output format. SPDX Lite is a lightweight profile of the full SPDX specification, focused on licence compliance.

CycloneDX

CycloneDX is an OWASP standard for creating SBOMs and CBOMs (Cryptography Bills of Materials). SCANOSS uses CycloneDX as its default SBOM format for software composition analysis, vulnerability tracking, and cryptographic reporting. SCANOSS supports the following CycloneDX output types:
  • CycloneDX SBOM — standard software bill of materials output
  • CycloneDX with Vulnerabilities — SBOM enriched with vulnerability data
  • CycloneDX CBOM — cryptographic bill of materials, generated via the Crypto Finder tool

Component Identification

PURL (Package URL)

PURL is an open specification for identifying software packages using a standardised URL-like string in the following format: 
pkg:<type>/<namespace>/<name>@<version>
SCANOSS uses PURLs as the primary identifier for all matched components across its APIs, configuration files, and scan outputs. Examples: 
pkg:github/scanoss/engine@5.0.0
pkg:npm/express@4.18.2
pkg:pypi/django@4.2.0
pkg:maven/org.springframework/spring-core@5.3.23