SCANOSS, a leading provider of software composition analysis (SCA) and Open Source Intelligence, has announced the release of CPE to PURL (Package URL) relations as open source. This move will allow organizations to keep track of known vulnerabilities in any of their SBOM (Software Bills of Materials) securely, anonymously and free. Security is of the utmost importance when it comes to managing software assets, and the ability to track and manage dependencies is a crucial aspect of ensuring the security and compliance of an organization’s software assets.
CPE (Common Platform Enumeration) is a standardized naming system for IT products and platforms, including operating systems, applications, and hardware. It is important for organizations to know the CPE for each open source component they use, as it allows them to connect with the known vulnerabilities associated with that component as listed in the CVE (Common Vulnerabilities and Exposures) database. By tracking and managing these dependencies, organizations can ensure that their applications are secure and compliant.
PURLs, on the other hand, are package, unique URLs that can be used to identify and locate online resources, such as software assets. By linking CPEs to PURLs, organizations can more easily track and manage the dependencies in their software applications, as well as ensure that they are using the most up-to-date versions. This process is known as creating a SBOM, which is a complete list of the dependencies in a software application and the known vulnerabilities associated with each one.
The release of CPE to PURL relations as open source will have several benefits for organizations. First and foremost, it will allow them to more easily track and manage the dependencies in their software applications, ensuring compliance with industry regulations and minimizing the risk of security vulnerabilities. It will also enable organizations to more easily share information about their software assets with other parties, such as suppliers and customers.
In addition, the open source nature of CPE to PURL relations will allow organizations to customize and extend the functionality of the system to meet their specific needs. This will enable them to better meet the unique requirements of their business and ensure that they are able to fully leverage the benefits of the system.
Overall, the release of CPE to PURL relations as open source by SCANOSS is a significant development for organizations looking to more effectively track and manage the dependencies in their software applications. It will enable them to ensure compliance with industry regulations, minimize the risk of security vulnerabilities, and more easily share information with other parties. The ability to connect CPEs to known vulnerabilities listed in the CVE database is particularly important for ensuring the security and compliance of an organization’s software assets.
SCANOSS is the first open, configurable OSS Inventory & Intelligence platform that was built specifically for modern DevSecOps and supply chains, empowering them to deliver greater license, security, quality and provenance visibility for the broader DevOps team and supply chain partners. By freeing developers to focus on writing great, compliant code that they and their team can completely trust, applications are finished earlier, their quality is consistently higher, and development costs are dramatically lower. For more information, please visit https://scanoss.com/landing/purl2cpe.