Package URL

PURL is a mini spec used in CycloneDX, SPDX and CSAF VEX.

It is is a standardization attempt to reliably identify and locate software packages with the existing approaches. A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.

Companion open source vulnerability databases

• VulnerableCode available at https://public.vulnerablecode.io is keyed by purl. It is an open source code and open data correlated and aggregated vulnerability database.

• purldb is a companion database of all the purls listed in the repo.