Package URL¶
PURL is a mini spec used in CycloneDX, SPDX and CSAF VEX.
It is is a standardization attempt to reliably identify and locate software packages with the existing approaches. A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
Companion open source vulnerability databases¶
VulnerableCode available at https://public.vulnerablecode.io is keyed by purl. It is an open source code and open data correlated and aggregated vulnerability database.
purldb is a companion database of all the purls listed in the repo.