The package-url project provides a practical specification and implementation for a “package (mostly universal) URL” → purl.

The Package URL specification was originally developed by nexB for use in ScanCode and VulnerableCode. It is now a de-facto standard for vulnerability management and package references in active use by SCA projects like CycloneDX and SPDX and by many companies and organizations worldwide.

The specification is at There are implementations of the purl specification for 9 major languages:

package-url also has a Gitter channel.