How do I read a PURL string?

Package URL (PURL) standardizes how software package metadata is represented so that packages can universally be located regardless of what vendor, project, or ecosystem the packages belongs to. A PURL is an attempt to standardize existing approaches to reliably identify and locate software packages. It is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.

We currently support the following PURL package managers: Cargo, NPM, Nuget, and Pypi.

PURL format

A PURL is composed of 7 components:


The definition for each components is:

  • scheme: this is the URL scheme with the constant value of "pkg". One of the primary reason for this single scheme is to facilitate the future official registration of the "pkg" scheme for package URLs. Required.

  • type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.

  • namespace: some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific.

  • name: the name of the package. Required.

  • version: the version of the package. Optional.

  • qualifiers: extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional and type-specific.

  • subpath: extra subpath within a package, relative to the package root. Optional.


  • pkg:pypi/django@1.11.1

  • pkg:nuget/EnterpriseLibrary.Common@6.0.1304

  • pkg:npm/foobar@12.3.1

What is PURL used for?

PURL is recommended for use in identifying a container, library or framework (package), or operating system package.

Last updated

© Copyright MedCrypt 2023, All rights reserved.