Package Advisories & Vulnerabilities

A Package URL (aka "purl") is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.

A purl is a URL composed of seven components:


Components are separated by a specific character for unambiguous parsing.

ZEN SecDB Portal use the Package URL format for identify a package or software affected by a vulnerability or issue.

Component Description
scheme this is the URL scheme with the constant value of "pkg". One of the primary reason for this single scheme is to facilitate the fu ture official registration of the "pkg" scheme for package URLs. Required.
type the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.
namespace some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific.
name the name of the package. Required.
version the version of the package. Optional.
qualifiers extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional and type-specific.
subpath extra subpath within a package, relative to the package root. Optional.