Fossology is a copyright and license scanner that works on the source code (see my recent post Seminar “Open-Source Management in Software Supply Chains” for a very brief overview). It creates FOSS compliance reports that licensees must pass along with the source code of FOSS packages to customers.
Quartermaster also yields FOSS compliance reports, but it digs deeper than Fossology. Quartermaster hooks into the build process. It finds exactly the packages an executable or library depends on: no extra efforts by checking irrelevant packages. It also finds packages, for which the source code is downloaded during the build. Fossology cannot detect these packages.
SPDX is a file format for exchanging licensing and copyright information. It also standardises the names of FOSS licenses.