> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
> Use this file to discover all available pages before exploring further.

# References and External Docs

> This page collects the key external standards, specifications, tools,  and resources that SCANOSS builds on, integrates with, or references throughout  its documentation.

## SBOM Standards

### SPDX (Software Package Data Exchange)

SPDX is a Linux Foundation open standard for communicating software bill of
materials (SBOM) information, including components, licences, copyrights, and
security references.

SCANOSS supports [SPDX Lite](https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/)
as an output format. SPDX Lite is a lightweight profile of the full SPDX
specification, focused on licence compliance.

### CycloneDX

[CycloneDX](https://cyclonedx.org) is an OWASP standard for creating SBOMs and
CBOMs (Cryptography Bills of Materials). SCANOSS uses CycloneDX as its default
SBOM format for software composition analysis, vulnerability tracking, and
cryptographic reporting.

SCANOSS supports the following CycloneDX output types:

* **CycloneDX SBOM** — standard software bill of materials output
* **CycloneDX with Vulnerabilities** — SBOM enriched with vulnerability data
* **CycloneDX CBOM** — cryptographic bill of materials, generated via the
  [Crypto Finder](/tools/crypto-finder) tool

## Component Identification

### PURL (Package URL)

[PURL](https://github.com/package-url/purl-spec) is an open specification for
identifying software packages using a standardised URL-like string in the
following format:

```
pkg:<type>/<namespace>/<name>@<version>
```

SCANOSS uses PURLs as the primary identifier for all matched components across
its APIs, configuration files, and scan outputs.

**Examples:**

```
pkg:github/scanoss/engine@5.0.0
pkg:npm/express@4.18.2
pkg:pypi/django@4.2.0
pkg:maven/org.springframework/spring-core@5.3.23
```