Skip to main content

Welcome to www.packageurl.org

A simple, consistent, and flexible approach for identifying software packages with precision and clarity.

Software ecosystems have evolved into highly interconnected networks of components, packages, and dependencies. Managing this complexity demands a robust, uniform mechanism to identify and track software packages across diverse ecosystems and tools. Package-URL (PURL) was developed to address this challenge by providing a simple, consistent, and flexible approach to identifying software packages with precision and clarity.

PURL introduces a standardized URL-based syntax that uniquely identifies software packages, independent of their ecosystem or distribution channel. Unlike traditional identification methods, PURL embeds critical metadata directly into its structure, enabling efficient, accurate package identification at scale. This standardization ensures interoperability between tools and ecosystems, fostering greater collaboration and reducing ambiguity in software supply chain management.

Challenges addressed by PURL:

  • Ambiguity in Package Identification: With diverse naming conventions across ecosystems, identifying software packages reliably has historically been a challenge. PURL eliminates this ambiguity by creating a universal identifier with a predictable structure.
  • Cross-Ecosystem Interoperability: Developers, organizations, and tools often work across multiple ecosystems, each with its own package management systems. PURL harmonizes these differences, enabling seamless interoperability.
  • Enhanced Traceability and Risk Management: In an era where supply chain security is critical, PURL provides the foundation for identifying and tracing packages to their origins, dependencies, and potential vulnerabilities.
  • Tooling and Automation: By standardizing package identification, PURL simplifies tooling development, automation, and integration for tasks such as software composition analysis, vulnerability management, and license compliance.

As software supply chain security becomes a global priority, formalizing PURL as an international standard ensures its adoption and consistent implementation. Standardization under Ecma International Technical Committee 54 (TC54) positions PURL as a foundational building block for secure, transparent, and efficient software ecosystems worldwide.

By enabling a universally recognized and implementable specification, PURL aligns with global efforts to improve the security, reliability, and accountability of software supply chains. Its adoption ensures that organizations and developers can rely on a common language to manage software packages across the diverse and rapidly evolving software landscape.

Software Specifications and Tools

PURL Adoption - Specifications

These are specifications that have adopted PURL or VERS as part of a specification.
Ecma TC54-TG3 is chartered with the standardization of the Common Lifecycle Enumeration (CLE), an open specification designed to support the aliasing of components and communicate lifecycle events such as end-of-life (EOL), end-of-support (EOS), and changes in component provenance over time.
  • StandardsStandards helpVERS
A language to exchange Security Advisories.
  • StandardsStandards helpVERS
The CVE Record Format is the JSON schema defining the structure of CVE records.
  • LicenseLicense helpCC0 1.0 Universal
  • StandardsStandards helpPURL v1.0
A lightweight software bill-of-material (SBOM) specification.
  • LicenseLicense helpApache-2.0
  • StandardsStandards helpPURL v1.0, VERS
An implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
  • LicenseLicense helpCC0-1.0
  • StandardsStandards helpPURL v1.0
Open Source Vulnerability Schema.
  • LicenseLicense helpApache-2.0
  • StandardsStandards helpPURL v1.0
A data exchange standard for human-readable and machine-processable software bill-of-materials (SBOM).
  • LicenseLicense helpCommunity-Spec-1.0, CC-BY-3.0
  • StandardsStandards helpPURL v1.0

Software Tools

These are community-maintained tools that support or use the Package-URL (PURL) or VERS standards.
A Ruby gem for parsing, comparing and sorting versions according to the VERS spec.
  • Base language: Ruby
  • Software License: MIT
  • Standards: VERS
A software assurance platform to measure risk and detect threats in critical open-source supply chains.
  • Standards: PURL v1.0
A Rust library (with WASM support) for parsing, validating, and checking version range specifiers.
  • Base language: Rust
  • Software License: Apache-2.0
  • Standards: VERS
Open source component analysis platform.
  • Base language: Java
  • Software License: Apache-2.0
  • Standards: PURL v1.0
Indexes and analyzes open source packages, ecosystems, and their dependencies.
  • Base language: Ruby
  • Software License: AGPL-3.0-only
  • Standards: PURL v1.0
Implementation of the purl (package url) specification.
  • Base language: Erlang, Elixir
  • Software License: Apache-2.0
  • Standards: PURL v1.0
Allows third-party tools to submit dependency data to GitHub for inclusion in a repository's dependency graph.
  • Standards: PURL v1.0
This package provides decoders and encoders in OCaml.
  • Base language: OCaml
  • Software License: ISC
  • Standards: PURL v1.0
A PURL ( https://tc54.org/purl/ ) parser and serializer.
  • Base language: JavaScript
  • Software License: MIT
  • Standards: PURL v1.0
Java implementation of vers, a mostly universal version range specifier.
  • Base language: Java
  • Software License: Apache-2.0
  • Standards: VERS
A free catalog of Open Source Components and scanning tools to help developers identify vulnerable components.
  • Base language: Java
  • Software License: Apache-2.0
  • Standards: PURL v1.0
A suite of tools to assist with automating Open Source compliance checks.
  • Base language: Kotlin
  • Software License: Apache-2.0
  • Standards: PURL v1.0
Open Source Vulnerability database
  • Base language: Python
  • Software License: Apache-2.0
  • Standards: PURL v1.0
This crate is an implementation of the Package URL specification for the Rust programming language.
  • Base language: Rust
  • Software License: MIT
  • Standards: PURL v1.0
.NET implementation of the package url spec.
  • Base language: C#
  • Software License: MIT
  • Standards: PURL v1.0
Go implementation of the package url spec.
  • Base language: Go
  • Software License: MIT
  • Standards: PURL v1.0
This project implements a purl parser and class for Java.
  • Base language: Java
  • Software License: MIT
  • Standards: PURL v1.0
JavaScript implementation of the package url spec
  • Base language: JavaScript
  • Software License: MIT
  • Standards: PURL v1.0
A parser and builder based on package url spec, implemented in PHP.
  • Base language: PHP
  • Software License: MIT
  • Standards: PURL v1.0
Python implementation of the package url spec.
  • Base language: Python
  • Software License: MIT
  • Standards: PURL v1.0
A Ruby implementation of the package url specification.
  • Base language: Ruby
  • Software License: MIT
  • Standards: PURL v1.0
Swift implementation of the package url spec
  • Base language: Swift
  • Software License: MIT
  • Standards: PURL v1.0
A Perl implementation of PURL and VERS
  • Base language: Perl
  • Software License: Artistic-2.0
  • Standards: PURL v1.0, VERS
A simple webapp that provides guidance on and creates Package URLs of type 'swid'.
  • Base language: Vue
  • Software License: MIT
  • Standards: PURL v1.0
A Kotlin library for parsing and generating package-url
  • Base language: Kotlin
  • Software License: Apache-2.0
  • Standards: PURL v1.0
PURL - Package URL specification v1.0.X
  • Base language: Raku
  • Software License: Artistic-2.0
  • Standards: PURL v1.0
Reports PURLs from parsed package manifests using https. Collects VERS from parsed package manifests using https.
  • Base language: Python
  • Software License: Apache-2.0
  • Standards: PURL v1.0, VERS
Collects VERS from scanned and matched packages using https
  • Base language: Python
  • Software License: Apache-2.0
  • Standards: PURL v1.0, VERS
Enterprise grade Open Source component management.
  • Standards: PURL v1.0
Software supply chain security platform for the enterprise to detect threats and exposures
  • Standards: PURL v1.0
Parse and compare all the package versions and all the ranges. From debian, npm, pypi, ruby and more. Process all the version range specs and expressions.
  • Base language: Python
  • Software License: MIT
  • Standards: VERS
A security intelligence platform providing unified access to vulnerabilities, advisories, and exploit data across ecosystems, leveraging PURL for consistent package identification.
  • Standards: PURL v1.0

General Information

Community call

Join our next PURL community call on 2026-02-04.

The schedules for the PURL community and TC54-TG2 calls are available at OWASP Software Supply Chain Community Calendar.

Releases

Release v1.0.0

The 1st edition of the PURL specification was approved by the Ecma General Assembly on 2025-12-10 and has been designated ECMA-427.

The first release (v1.0.0) of the purl-spec project followed on 2025-12-18.