← CRA Glossary
Software Supply Chain

Package URL (PURL)

A Package URL (PURL) is a standardised string format for uniquely identifying software packages across different package ecosystems. PURLs enable precise component identification in SBOMs, allowing vulnerability databases and security tools to reliably correlate SBOM entries with CVE records.

A Package URL (PURL) is a standardised string format for uniquely identifying software packages across different package ecosystems. PURLs enable precise component identification in SBOMs, allowing vulnerability databases and security tools to reliably correlate SBOM entries with CVE records.

Software Supply Chain
Free CVD portal →

What Is a Package URL (PURL)?

A Package URL (PURL) is a standardised string format for uniquely identifying software packages. It encodes the package type (ecosystem), namespace, name, version, and optional qualifiers and subpath in a consistent URL-like syntax. The format is: pkg:type/namespace/name@version?qualifiers#subpath. Examples: pkg:npm/%40angular/[email protected] identifies the Angular core npm package version 14.0.0; pkg:pypi/[email protected] identifies the Python requests library; pkg:docker/library/[email protected] identifies a specific Docker image. PURL was developed by the SPDX and CycloneDX communities to solve the cross-ecosystem component identification problem and has been adopted as the standard identifier in both SBOM formats.

CRA reference:Annex VII

Why PURL Matters for CRA SBOM Compliance

The CRA's Annex VII SBOM requirement is only as useful as the accuracy of component identification. A common failure mode in SBOMs is identifying components by name alone — 'requests 2.31.0' — without specifying the ecosystem (is this the Python pip package, or a Java Maven package with the same name?). PURL solves this by including the ecosystem type in the identifier. This precision enables:

  • Accurate CVE correlation: Vulnerability databases correlate CVEs to packages using PURL. An SBOM with PURL identifiers can be automatically matched against vulnerability feeds to identify which CVEs affect the product.
  • Cross-tool interoperability: PURL is supported by NVD, OSV, Dependency-Track, and all major vulnerability management tools, enabling consistent results across platforms.
  • Reachability analysis: Tools that assess whether a vulnerable code path is actually invoked in the product require precise component identification — PURL provides this.
CRA reference:Annex VII

PURL vs CPE: Different Identifier Systems

CPE (Common Platform Enumeration) is another identifier system used in NVD CVE records to identify affected products and components. CPE uses a different format: cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*. Key differences:

  • Coverage: CPE covers hardware, operating systems, and applications broadly. PURL specialises in software packages within specific ecosystems.
  • Precision: PURL is generally more precise for package-level identification within software ecosystems. CPE has known precision issues at the package level.
  • Adoption: PURL has overtaken CPE as the preferred identifier in modern SBOM tooling. However, NVD CVE records still use CPE extensively, so understanding both is necessary for vulnerability correlation.

Best practice for CRA SBOMs is to include both PURL and CPE identifiers where available, maximising compatibility with different vulnerability correlation tools and databases.

CRA reference:Annex VII

PURL in Practice: Generation and Validation

PURL generation is typically handled automatically by SBOM generation tools — manufacturers should not need to construct PURLs manually. Key considerations:

  • Verify ecosystem type: Ensure the SBOM generator correctly identifies the package ecosystem (npm vs PyPI vs Maven) — misidentification is the most common PURL error.
  • Include version exactly: The PURL version must exactly match the package version string as it appears in the package registry, including build metadata where applicable.
  • Validate against known records: After generating an SBOM with PURLs, validate a sample of PURLs against the OSV database (osv.dev) to confirm they resolve correctly to known vulnerability records.
  • Handle private/internal packages: For internal packages not in public registries, use a custom PURL type or namespace to distinguish them from public packages. Internal packages with no CVE exposure need not be excluded from the SBOM — their inclusion demonstrates completeness.

CVD Portal makes Package URL (PURL) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Are PURLs mandatory in a CRA-compliant SBOM?+

The CRA does not mandate PURL specifically. However, SBOM usefulness for vulnerability management — the primary CRA-relevant use case — depends on accurate component identification, and PURL is the de facto standard for this. An SBOM without PURLs is less useful for automated CVE correlation and may not satisfy the functional intent of the Annex VII SBOM requirement if component identification is insufficiently precise. All major SBOM generation tools produce PURLs by default.

What PURL type should be used for firmware or OS packages?+

Firmware and OS package types have defined PURL types. Linux OS packages use `pkg:deb` (Debian/Ubuntu), `pkg:rpm` (Red Hat/Fedora), or `pkg:apk` (Alpine). Generic binary artefacts without an ecosystem type can use `pkg:generic`. For custom firmware components without a public registry, using `pkg:generic` with a manufacturer-specific namespace is recommended. Syft and similar container/firmware analysis tools handle this automatically for common package types.

How does PURL relate to the OSV (Open Source Vulnerabilities) database?+

The OSV database (osv.dev) uses PURL as its primary identifier for affected packages. OSV vulnerability records specify affected package versions using PURL ecosystems, enabling direct matching against SBOM PURLs. This makes OSV one of the most SBOM-friendly vulnerability databases for open source components. Tools like OSV-Scanner use the SBOM PURL list to query OSV for affected vulnerabilities, providing rapid, precise results with minimal false positives compared to CPE-based NVD matching.

Related terms

Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.CycloneDXCycloneDX is an open-standard SBOM format maintained by OWASP that represents software components, their relationships, and associated metadata in a machine-readable structure. It is one of the two dominant SBOM formats alongside SPDX and is widely used for CRA compliance documentation.SPDX (Software Package Data Exchange)SPDX (Software Package Data Exchange) is an ISO-standardised SBOM format (ISO/IEC 5962:2021) that describes software components, their versions, licences, and provenance in a machine-readable structure. SPDX is one of the two dominant SBOM formats alongside CycloneDX and is accepted for CRA technical documentation purposes.Software IdentifierA software identifier is a standardised string or code that uniquely identifies a specific software package, component, or product version. Common software identifiers include PURL, CPE, and SWID tags. Accurate software identifiers are essential for reliable SBOM-based CVE correlation and CRA technical documentation.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Package URL (PURL) fits into your complete CRA compliance programme.

View checklists →