Suppose you've generated a perfect SBOM. The next step is to compare this list against a database of known vulnerabilities (such as the NVD). But here we run into a huge semantic problem: how do we identify a component in a 100% unique way?
CPE (Common Platform Enumeration) was the standard for decades, but is too rigid for the millions of dynamic open-source packages on NPM or PyPI. The modern solution is PURL (Package URL). PURL defines the ecosystem, the namespace, the name and the version in a single standardised string. Make sure your audit tooling supports PURLs natively!
From reading to action
Curious how far your organisation is with the CRA? Test it in two minutes with the free Quickscan, or dive into the 4-week Survival Challenge.