SWID tags are very important in SCAP v2. Common Platform Enumeration (CPE) doesn’t scale well, doesn't support patch information, and was intended to be a software identifier rather than a software inventory standard. SWID tags can be produced by the software provider and are managed with the software on an endpoint, which is much more scalable and supports software inventory use cases.
Rapid growth in Common Vulnerability and Exposures (CVE) assignments, over the last couple of years, has also increased the work load and labor costs for analyzing CVE information and producing CPEs by the National Vulnerability Database (NVD). The use of SWID tags provides the vulnerability management community with an approach to software identification and characterization that scales well as compared to CPE. Developing tools that facilitate the integration of SWID tags into the software development and release process is the only sustainable path to support software identification in a scalable way.