The package-url project provides a practical specification and implementation for a “package (mostly universal) URL” → purl.

The Package URL specification was originally developed by nexB for use in ScanCode and VulnerableCode. It is now a de-facto standard for vulnerability management and package references in active use by SCA projects like CycloneDX and SPDX and by many companies and organizations worldwide.

The specification is at https://github.com/package-url/purl-spec. There are implementations of the purl specification for 9 major languages:

• .Net – https://github.com/package-url/packageurl-dotnet
• Go - https://github.com/package-url/packageurl-go
• Java- https://github.com/package-url/packageurl-java
• JavaScript - https://github.com/package-url/packageurl-js
• PHP: https://github.com/package-url/packageurl-php
• Python - https://github.com/package-url/packageurl-python
• Ruby - https://github.com/package-url/packageurl-ruby
• Rust - https://github.com/package-url/packageurl-dotnet
• Swift: https://github.com/package-url/packageurl-swift

package-url also has a Gitter channel.