.. _purl:

***********
Package URL
***********

`PURL <https://github.com/package-url/purl-spec>`_ is a mini spec used in :ref:`CycloneDX <cdx>`, :ref:`SPDX <spdx>` and `CSAF <https://oasis-open.github.io/csaf-documentation/faq.html>`_ :ref:`VEX <vex>`.

It is is a standardization attempt to reliably identify and locate software packages with the existing approaches. A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.

Companion open source vulnerability databases
#############################################

* `VulnerableCode <https://github.com/nexb/vulnerablecode>`_ available at https://public.vulnerablecode.io is keyed by purl. It is an open source code and open data correlated and aggregated vulnerability database.
* `purldb <https://github.com/nexB/purldb/>`_ is a companion database of all the purls listed in the repo.