Because no tech stack is an island running on a single programming language and in a single package ecosystem, we need a way to talk about packages and their versions across ecosystems. PURL
and vers
are an attempt to solve this problem and express package dependencies and vulnerabilities using a common language among multiple tools, SBOM formats and tech stacks.
In this video, Philippe Ombredanne (co-founder and CTO, nexB) and Hritik Vijay present Package URL
, a mostly universal way to reference packages across ecosystems which is emerging as a de-facto standard identifier for open source software packages.
They will introduce and explain a new universal notation for package version ranges, such as used when resolving package dependencies as in “I require package foo, version 2.0 or later versions” and referencing affected vulnerable package versions as in “vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5″. These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain.
Video
Slides
Ready to learn more?
- Scan your codebase with ScanCode
- Find software vulnerabilities with VulnerableCode
- Start automating compliance with DejaCode