PURL: The naming of packages is a difficult matter – Nordic Software Security Summit

Philippe Ombredanne, AboutCode.org

In order to make the SBOM work when checking external databases, a clear and distinct identifier of the software and manufacturer is needed. The Package URL (PURL) standard is adopted by many systems for vulnerability management, sometimes alongside with the old CPE identifier.

The PURL specification is undergoing standardization and will soon be published as an ECMA standard within the CycloneDX project, ECMA TC54.

In this talk, Philippe describes how PURL can help streamline exchange in the supply chain, and all the ongoing efforts to make it a standard.

Explore the conference agenda

Friday Track 2

Open regulatory compliance working group (ORCWG.ORG)

Register today!

One day training and two day conference covering the coming legislation on the software industry

✦ October 1-3, 2025

✦ Hotel Birger Jarl, Stockholm, Sweden

✦ Early bird pricing to Aug 1st!

Partners 2025
Cybernode.se
Dataföreningen Väst
NCC-SE
Eclipse Foundation
ORCWG
OpenSSF
OWASP
SIG Security