Getting started updates

mjherzog · mjherzog · commit bef12b95be33 · 2026-01-24T15:38:33.000-08:00
Signed-off-by: Michael Herzog &lt;mjherzog@nexb.com&gt;
diff --git a/website/docs/getting_started/getting_started-cravex.md b/website/docs/getting_started/getting_started-cravex.md
@@ -0,0 +1,11 @@
+# Compliance
+
+## Identify licenses for software and for data
+
+## Apply license usage policies**
+
+## Produce SBOMs
+
+## Automate compliance
+
+- Generate compliance artifacts (e.g. attribution notices)
diff --git a/website/docs/getting_started/getting_started-security.md b/website/docs/getting_started/getting_started-security.md
@@ -1,7 +1,32 @@
 # Security
+Software security is a very broad domain. The AboutCode commmunity has focused
+on the identification, reporting, triage and remediation of open source 
+vulnerabilities because this fits with our core expertise in software
+identification and SCA (Software Composition Analysis). We are, however, expanding our scope for software security with the recent addition of the **atom** and **chen" project to the AboutCode community, but most of our tools and data are related to software vulnerabilities.
+See also [atom and chen join AboutCode](https://aboutcode-org.github.io/www.aboutcode.org/blog/atom-chen-aboutcode).
+
+Note that our tools and data for software vulnerabilities expect that software
+will be identified with a [PURL (Package-URL)](https://package-url.github.io/www.packageurl.org/docs/purl/purl-spec-introduction).
 
 ## Identify vulnerabilities
-- VERS
+For the basic use case of identifying software vulnerabilities, AboutCode 
+offers the VulnerableCode tools and data, the DejaCode application, ScanCode tools, and the PURL standard.
+
+- [VulnerableCode](https://vulnerablecode.readthedocs.io/en/latest/) provides
+a robust set of tools to build and access a database of known software 
+vulnerabilities from upstream and downstream public data sources. The 
+VulnerableCode tools collect, aggregate and correlated vulnerabilities and 
+maps them to package versions using PURL. 
+
+    AboutCode hosts a public VulnerableCode database at https://public2.vulnerablecode.io/ with a Web UI for queries and an API. Access is free 
+    but there are some restrictions on the frequency and volume of API 
+    requests. You can use the VulnerableCode tools to build, maintain and 
+    use (Web UI and APIs) your own private VCIO database.
+
+- [DejaCode] products, packages
+
+- [ScanCode.io] ajfasdlj;kj `find_vulnerabilities pipeline
+
 
 ## Triage vulnerabilities
 - Risk scoring
diff --git a/website/docs/getting_started/getting_started-software-identification.md b/website/docs/getting_started/getting_started-software-identification.md
@@ -17,8 +17,10 @@ represents approximately 80% of software in use according to most surveys.
 ## Package-URL
 
 The AboutCode team identified this problem in 2018 in the context of working
-on our ScanCode and VulnerableCode projects. The solution was and is the PURL (Package-URL) specification which has become the most widely used software
-identifier for open source software. PURL is now an Ecma standard - [ECMA-427](https://ecma-tc54.github.io/ECMA-427/), and it is on a fast track to become 
+on our ScanCode and VulnerableCode projects. The solution was and is the PURL 
+(Package-URL) specification which has become the most widely used software
+identifier for open source software. PURL is now an Ecma standard - [ECMA-427]
+(https://ecma-tc54.github.io/ECMA-427/), and it is on a fast track to become 
 an ISO standard. 
 
 Our team also identified a related problem - after you have a standard way
@@ -27,26 +29,33 @@ package versions to determine whether a reported vulnerability affects the
 version that you use? Our solution is the VERS (VErsion Range Specifier) 
 specification which will be submitted to Ecma as a standard in 2026.
 
-See the [Package-URL website](https://package-url.github.io/www.packageurl.org/) for more information about PURL and VERS.
+See the [Package-URL website](https://package-url.github.io/www.packageurl.org/) 
+for more information about PURL and VERS.
 
 See the Package-URL (PURL) projects section of the Home page for more 
 information about AboutCode tools that provide PURL- and VERS-specific 
 capabilities.
 
 ## Identify software packages and components
 For the basic use case of identifying software packages and components, 
-AboutCode offers the DejaCode and ScanCode tools, the PURLDB database and the PURL standard. 
+AboutCode offers the DejaCode application, ScanCode tools, the PURLDB database and the [PURL standard](https://package-url.github.io/www.packageurl.org/docs/purl/purl-spec-introduction). 
 
 - [DejaCode](https://dejacode.readthedocs.io/en/latest/) is an enterprise-level
 application to automate managing your software assets including license 
 compliance and security vulnerabilities. DejaCode embeds ScanCode.io for core
-scanning functions and uses VulnerableCode data for vulnerability reporting. DejaCode includes a database of licenses, components and packages, and SBOMs. 
-It is also where you can set and apply your license and vulnerability risk policies. DejaCode is designed for integration with GitHub, GitLab, JIRA and other software development platforms. You normally run DejaCode as a Docker
+scanning functions and uses VulnerableCode data for vulnerability reporting. 
+DejaCode includes a database of licenses, components and packages, and SBOMs. 
+It is also where you can set and apply your license and vulnerability risk 
+policies. DejaCode is designed for integration with GitHub, GitLab, JIRA and 
+other software development platforms. You normally run DejaCode as a Docker
 container.
 
 - [ScanCode.io](https://scancodeio.readthedocs.io/en/latest/) is an 
-application to scan codebases, packages, containers or other software collections. ScanCode.io uses a specific pipeline for scanning or analyzing 
-each software target and provides a database with UI and API access to your scans. ScanCode.io is usually a good place to get started in the AboutCode ecosystem. You normally run ScanCode.io as a Docker container. You can export
+application to scan codebases, packages, containers or other software 
+collections. ScanCode.io uses a specific pipeline for scanning or analyzing 
+each software target and provides a database with UI and API access to your 
+scans. ScanCode.io is usually a good place to get started in the AboutCode 
+ecosystem. You normally run ScanCode.io as a Docker container. You can export
 scan data in many formats including: JSON, XLSX, CycloneDX SBOM, SPDX SBOM, or  
 an attribution-notice.
 
@@ -55,18 +64,23 @@ library (and command line utility) that provides the scanning engine for
 ScanCode.io. Its primary functions are to identify:
   - Software licenses based on matching license notices and texts to ScanCode
   license detection rules 
-  - Software origin based on copyright or author notices, email addresses, URLs and other clues
-  - Software codebase structure including directories and files with extensive file information such as size, MIME type, file type, programming language,
+  - Software origin based on copyright or author notices, email addresses, 
+  URLs and other clues
+  - Software codebase structure including directories and files with extensive
+   file information such as size, MIME type, file type, programming language,
   checksums (MD5,SHA1,SHA256,SHA512) and more
 
 - [ScanCode LicenseDB](https://scancode-licensedb.aboutcode.org/index.html)
 provides license text and metadata for 2,470 open source and other third-party 
-licenses (and growing). Each license has an SPDX license identifier using the `Licenseref-scancode` namespace for licenses that are not yet included in the
+licenses (and growing). Each license has an SPDX license identifier using the 
+`Licenseref-scancode` namespace for licenses that are not yet included in the
 SPDX License List.
 
-- [PURLDB](https://purldb.readthedocs.io/en/stable/) provides tools to create and manage a database of package metadata keyed by PURL. You can use PURLDB 
+- [PURLDB](https://purldb.readthedocs.io/en/stable/) provides tools to create 
+and manage a database of package metadata keyed by PURL. You can use PURLDB 
 data via API to enrich your package and SBOM data in DejaCode, ScanCode.io, 
-or your own application. The AboutCode team also currently hosts a public [PURLDB](https://public.purldb.io/api/) service with REST API.
+or your own application. The AboutCode team also currently hosts a public 
+[PURLDB](https://public.purldb.io/api/) service with REST API.
 
 ## Analyze containers 
 The analysis of containers to produce inventories or SBOMs for the software
@@ -85,7 +99,8 @@ detailed information about image layers and their file content.
     export the data in CycloneDX or SPDX SBOM format, or in JSON or XLSX format
     for use in another application. 
 
-    If you need to update or enhance the scan data before you produce an SBOM, DejaCode provides several options.
+    If you need to update or enhance the scan data before you produce an SBOM, 
+    DejaCode provides several options.
     
 - [DejaCode](https://dejacode.readthedocs.io/en/latest/) is highly integrated
 with ScanCode so that you can easily import ScanCode scan data from ScanCode
@@ -99,24 +114,36 @@ then:
     - Generate an SBOM in CycloneDX or SPDX format
     - Generate an attribution notice
 
-- [container-inspector](https://github.com/aboutcode-org/container-inspector/blob/main/README.rst) is a static analysis tool to analyze the structure of software components in a container image. container-inspector is
-used in the ScanCode.io `analyze_docker_image` pipeline for the layer analysis,
+- [container-inspector](https://github.com/aboutcode-org/container-inspector/blob/main/README.rst) 
+is a static analysis tool to analyze the structure of software components in a
+ container image. container-inspector is used in the ScanCode.io 
+ `analyze_docker_image` pipeline for the layer analysis,
 but you can also use it as a command line utility.
 
 ## Consume or produce SBOMs
 The EU CRA (Cyber Resilience Act) and other regulatory initiatives have 
 dramatically raised the importance of SBOMs (Software Bills of Materials) for 
-compliance with security risk management laws and regulations. A key challenge in using SBOMs is the reliable identification of software packages so that someone else in your software supply chain (upstream or downstream) will recognize the same package identity. The PURL (Package-URL) standard [ECMA-427](https://ecma-tc54.github.io/ECMA-427/) provides the most popular solution.
-
-**DejaCode** and **ScanCode.io** both provide full capabilities to import or export SBOMs in CycloneDX or SPDX format using PURL as the standard software 
+compliance with security risk management laws and regulations. A key challenge
+ in using SBOMs is the reliable identification of software packages so that 
+ someone else in your software supply chain (upstream or downstream) will 
+ recognize the same package identity. The PURL (Package-URL) standard 
+ [ECMA-427](https://ecma-tc54.github.io/ECMA-427/) provides the most popular 
+ solution.
+
+**DejaCode** and **ScanCode.io** both provide full capabilities to import or 
+export SBOMs in CycloneDX or SPDX format using PURL as the standard software 
 identifier.
 
 ## Match binaries to source
-One of the most difficult software identification tasks is to match the "binary" files that you distribute or deploy (on a device or the cloud) to the corresponding "source" files from your development/build systems. In the 
+One of the most difficult software identification tasks is to match the 
+"binary" files that you distribute or deploy (on a device or the cloud) to the
+ corresponding "source" files from your development/build systems. In the 
 AboutCode community we consider binary-source matching to be a subset of the 
-much larger domain of matching "deploy" files to "devel" files. This matching challenge includes:
+much larger domain of matching "deploy" files to "devel" files. This matching 
+challenge includes:
 
-- [ScanCode.io](https://scancodeio.readthedocs.io/en/latest/) supports "deploy-to-devel" matching with the `map_deploy_to_develop` pipeline.
+- [ScanCode.io](https://scancodeio.readthedocs.io/en/latest/) supports 
+"deploy-to-devel" matching with the `map_deploy_to_develop` pipeline.
 This pipeline currently handles:
 
   - Matching Linux ELF, Windows, MacOS or Rust binaries to source
@@ -126,33 +153,53 @@ This pipeline currently handles:
   - Matching minified JavaScript to corresponding TS or JS files
   - And other use cases
 
-- [MatchCode Toolkit](https://github.com/aboutcode-org/matchcode-toolkit/blob/main/README.rst) is a Python library that provides the file and directory fingerprinting functionality for ScanCode Toolkit and ScanCode.io using
-the HaloHash algorithm. You can use the **MatchCode Toolkit** as a library.
+- [MatchCode Toolkit](https://github.com/aboutcode-org/matchcode-toolkit/blob/main/README.rst) 
+is a Python library that provides the file and directory fingerprinting 
+functionality for ScanCode Toolkit and ScanCode.io using the HaloHash 
+algorithm. You can use the **MatchCode Toolkit** as a library.
 
 - ScanCode uses several AboutCode libraries to analyze "deploy" files 
 including:
-   - [binary-inspector](https://github.com/aboutcode-org/binary-inspector/blob/main/README.rst) extracts symbols from binaries in ELF, Mach-O, WinPe and
+   - [binary-inspector](https://github.com/aboutcode-org/binary-inspector/blob/main/README.rst) 
+   extracts symbols from binaries in ELF, Mach-O, WinPe and
    other formats
-   - [elf-inspector](https://github.com/aboutcode-org/elf-inspector/blob/main/README.rst) collects data from ELF binaries
-   - [go-inspector](https://github.com/aboutcode-org/go-inspector/blob/main/README.rst) extracts dependencies and symbols from Go binaries
-   - [rust-inspector](https://github.com/aboutcode-org/rust-inspector/blob/main/README.rst) extracts dependencies and symbols from Rust binaries
-   - [source-inspector](https://github.com/aboutcode-org/source-inspector/blob/main/README.rst) collects code symbols, strings and comments from source files
+   - [elf-inspector](https://github.com/aboutcode-org/elf-inspector/blob/main/README.rst) 
+   collects data from ELF binaries
+   - [go-inspector](https://github.com/aboutcode-org/go-inspector/blob/main/README.rst) 
+   extracts dependencies and symbols from Go binaries
+   - [rust-inspector](https://github.com/aboutcode-org/rust-inspector/blob/main/README.rst) 
+   extracts dependencies and symbols from Rust binaries
+   - [source-inspector](https://github.com/aboutcode-org/source-inspector/blob/main/README.rst) 
+   collects code symbols, strings and comments from source files
 
    These are all Python utilities that can also be used independently.
 
 ## Identify software dependencies
 There are many use cases that require the identification of package software 
 dependencies including:
-- Identifying the licenses and vulnerabilites from package dependencies before you select a software package to use it in your product or project.
-- Identifying package version dependencies before you upgrade a package.
-- Reporting package dependencies with their licenses or vulnerabilities in an SBOM or other document.
-
-- **ScanCode Toolkit** and **ScanCode.io** both collect and report package
-dependency data from package manifest and dependency lock files (e.g., package.json or package-lock.json for npm. The reported package data includes the scope of a dependency and related attributes (runtime, optional, pinned, direct). 
-- [dependency inspector](https://github.com/aboutcode-org/dependency-inspector/blob/main/README.rst) is a command line tool to generate package lockfiles and parsable package manifests to make it easy to collect resolved dependencies 
-and accurate metadata for a project. It uses the standard package management tool for each package type or ecosystem.
-- [nuget-inspector](https://github.com/aboutcode-org/nuget-inspector/blob/main/README.rst) is a utility to resolve .NET or nuget package dependencies independently of a dotnet SDK installed on the computer used to run the **nuget-inspector**.
-- [python-inspector](https://github.com/aboutcode-org/python-inspector/blob/main/README.rst) is utility to resovlve PyPI package dependencies and query PyPI 
+  - Identifying the licenses and vulnerabilites from package dependencies 
+  before you select a software package to use it in your product or project.
+   - Identifying package version dependencies before you upgrade a package.
+   - Reporting package dependencies with their licenses or vulnerabilities in 
+   an SBOM or other document.
+
+**ScanCode Toolkit** and **ScanCode.io** both collect and report package
+dependency data from package manifest and dependency lock files (e.g., 
+package.json or package-lock.json for npm. The reported package data includes 
+the scope of a dependency and related attributes (runtime, optional, pinned, 
+direct). Scancode uses many AboutCode libraries and utilities to identify software
+package dependencies including:
+
+- [dependency inspector](https://github.com/aboutcode-org/dependency-inspector/blob/main/README.rst) 
+is a command line tool to generate package lockfiles and parsable package 
+manifests to make it easy to collect resolved dependencies and accurate 
+metadata for a project. It uses the standard package management tool for each 
+package type or ecosystem.
+- [nuget-inspector](https://github.com/aboutcode-org/nuget-inspector/blob/main/README.rst) 
+is a utility to resolve .NET or nuget package dependencies independently of a 
+dotnet SDK installed on the computer used to run the **nuget-inspector**.
+- [python-inspector](https://github.com/aboutcode-org/python-inspector/blob/main/README.rst) 
+is a utility to resovlve PyPI package dependencies and query PyPI 
 to enrich package metadata.
 
 
