Package URL

PURL is a mini spec used in CycloneDX, SPDX and CSAF VEX.

It is is a standardization attempt to reliably identify and locate software packages with the existing approaches. A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.

Companion open source vulnerability databases