When tools, APIs and databases process or store multiple package types, it is difficult to reference the same software package across tools in a uniform way. Often, these tools, specifications and API use relatively similar approaches to identify and locate software packages, each with subtle differences in syntax, naming and conventions.
PURL, or Package-URL, standardizes existing approaches to reliably identify and locate software packages in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. As a URL string, PURL reliably references the same software package using a simple and expressive syntax and conventions based on familiar URLs.
PURL was originally developed by nexB for use in ScanCode and VulnerableCode, and is now the de-facto standard for vulnerability management and package references by SBOM projects like CycloneDX and SPDX, and in active use by most open source projects that need to identify packages and by many companies and organizations worldwide.
SLIDES
