Package Advisories & Vulnerabilities
A Package URL (aka "purl") is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
https://github.com/package-url/purl-spec
A purl is a URL composed of seven components:
scheme:type/namespace/name@version?qualifiers#subpath
Components are separated by a specific character for unambiguous parsing.
ZEN SecDB Portal use the Package URL format for identify a package or software affected by a vulnerability or issue.
Component | Description |
---|---|
scheme | this is the URL scheme with the constant value of "pkg". One of the primary reason for this single scheme is to facilitate the fu ture official registration of the "pkg" scheme for package URLs. Required. |
type | the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required. |
namespace | some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific. td> |
name | the name of the package. Required. |
version | the version of the package. Optional. |
qualifiers | extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional and type-specific. |
subpath | extra subpath within a package, relative to the package root. Optional. |
Ecosystems