Software Supply Chain Standards
AboutCode is leading the way with simple and practical standards like PURL. PURL is the common identifier across software supply chain standards, making it possible to correlate and cross-reference data between SBOMs, vulnerability databases, reports, advisories, attestations, and tools.
Standards created by AboutCode
Package-URL (PURL): a widely used standard to identify software packages of any type with simple, readable and concise URLs. The PURL standard is ECMA-427.
VERS: (Version Range Specification) is a standard scheme for expressing version ranges of software packages in a consistent, parseable way across all package ecosystems. VERS solves the problem of each ecosystem having its own incompatible version range syntax. It is used in CycloneDX and CSAF to express affected version ranges in vulnerability advisories and SBOMs.
SBOM standards supported by AboutCode
CycloneDX: (OWASP CycloneDX) is a full-stack Bill of Materials (BOM) standard (ECMA-424) that provides advanced supply chain capabilities for cyber risk reduction. Uses PURL and VERS. AboutCode is a core contributor.
SPDX: (System Package Data Exchange) is a specification for representing systems with software components as SBOMs (Software Bill of Materials) and other AI, data and security references. Uses PURL. Co-founded by AboutCode.
Security and vulnerability standards
CSAF: (Common Security Advisory Framework) is an OASIS standard for machine-readable security advisories. Uses PURL and VERS for product identification and affected version ranges.
OpenVEX: an implementation of VEX (Vulnerability Exploitability eXchange) from OpenSSF for communicating vulnerability impact assessments. Uses PURL for package identification.
MITRE CVE Schema: the CVE Record format used by the MITRE CVE Program to describe vulnerabilities. Uses PURL to identify affected software packages.
OSV: (Open Source Vulnerabilities) is a distributed vulnerability database schema from Google. Uses PURL to identify affected packages across ecosystems.
Other supply chain standards using PURL
CLE: (Common Lifecycle Enumeration) is a standard for describing software lifecycle stages. Uses PURL for package identification.
TEA: (Transparent Exchange API) is a standard for software supply chain data exchange and trust. Uses PURL to reference packages.