Identifying packages and vulnerabilities across ecosystems

Because no tech stack is an island running on a single programming language and in a single package ecosystem, we need a way to talk about packages and their versions across ecosystems. PURL and vers are an attempt to solve this problem and express package dependencies and vulnerabilities using a common language among multiple tools, SBOM formats and tech stacks.

In this video, Philippe Ombredanne and Hritik Vijay from AboutCode present Package-URL, a mostly universal way to reference packages across ecosystems which is emerging as a de-facto standard identifier for open source software packages.

They will introduce and explain a new universal notation for package version ranges, such as used when resolving package dependencies as in “I require package foo, version 2.0 or later versions” and referencing affected vulnerable package versions as in “vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5″. These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain. 


 
SLIDES
 

More blog posts