Each package manager, platform, type, or ecosystem has its own conventions and protocols to identify, locate, and provision software packages.
The package type is the component of a package URL that is used to capture
this information with a short string such as maven
, npm
, nuget
, gem
,
pypi
, etc.
These are known purl
package type definitions.
Known purl
type definitions are formalized here independent of the core
Package URL specification. See also a candidate list further down.
Definitions can also include types reserved for future use.
See also https://github.com/package-url/purl-spec and <PURL-SPECIFICATION.rst>`_ for the Package URL specification.
alpm
for Arch Linux and other users of the libalpm/pacman package manager.
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base url asrepository_url
qualifiers key.The
namespace
is the vendor such asarch
,arch32
,archarm
,manjaro
ormsys
. It is not case sensitive and must be lowercased.The
name
is the package name. It is not case sensitive and must be lowercased.The
version
is the version of the package as specified in [vercmp(8)](https://man.archlinux.org/man/vercmp.8#DESCRIPTION) as part of alpm.The
arch
is the qualifiers key for a package architecture.Examples:
pkg:alpm/arch/[email protected]?arch=x86_64 pkg:alpm/arch/[email protected]?arch=any pkg:alpm/arch/containers-common@1:0.47.4-4?arch=x86_64
alpm
for Arch Linux and other users of the libalpm/pacman package manager.
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base url asrepository_url
qualifiers key.The
namespace
is the vendor such asarch
,arch32
,archarm
,manjaro
ormsys
. It is not case sensitive and must be lowercased.The
name
is the package name. It is not case sensitive and must be lowercased.The
version
is the version of the package as specified in [vercmp(8)](https://man.archlinux.org/man/vercmp.8#DESCRIPTION) as part of alpm.The
arch
is the qualifiers key for a package architecture.Examples:
pkg:alpm/arch/[email protected]?arch=x86_64 pkg:alpm/arch/[email protected]?arch=any pkg:alpm/arch/containers-common@1:0.47.4-4?arch=x86_64
bitbucket
for Bitbucket-based packages:
The default repository is
https://bitbucket.org
The
namespace
is the user or organization. It is not case sensitive and must be lowercased.The
name
is the repository name. It is not case sensitive and must be lowercased.The
version
is a commit or tagExamples:
pkg:bitbucket/birkenfeld/pygments-main@244fd47e07d1014f0aed9c
cocoapods
for Cocoapods:
The default repository is
https://cdn.cocoapods.org/
The
name
is the pod name and is case sensitive, cannot contain whitespace, a plus (+) character, or begin with a period (.).The
version
is the package version.The purl subpath is used to represent a pods subspec (if present)
Examples:
pkg:cocoapods/[email protected] pkg:cocoapods/[email protected] pkg:cocoapods/[email protected]#Twitter pkg:cocoapods/[email protected]#NSData+zlib
cargo
for Rust:
The default repository is
https://crates.io/
The
name
is the repository name.The
version
is the package version.Examples:
pkg:cargo/[email protected] pkg:cargo/[email protected] pkg:cargo/[email protected]
composer
for Composer PHP packages:
The default repository is
https://packagist.org
The
namespace
is the vendor.Note: private, local packages may have no name. In this case you cannot create a
purl
for these.Examples:
pkg:composer/laravel/[email protected]
conan
for Conan C/C++ packages. The purl is designed to closely resemble the Conan-native <package-name>/<package-version>@<user>/<channel> syntax for package references.
name
: The Conan<package-name>
.version
: The Conan<package-version>
.namespace
: The vendor of the package.- Qualifier
user
: The Conan<user>
. Only required if the Conan package was published with<user>
. - Qualifier
channel
: The Conan<channel>
. Only required if the Conan package was published with Conan<channel>
. - Qualifier
rrev
: The Conan recipe revision (optional). If omitted, the purl refers to the latest recipe revision available for the given version. - Qualifier
prev
: The Conan package revision (optional). If omitted, the purl refers to the latest package revision available for the given version and recipe revision. - Qualifier
repository_url
: The Conan repository where the package is available (optional). If ommitted,https://center.conan.io
as default repository is assumed.
Additional qualifiers can be used to distinguish Conan packages with different settings or options, e.g. os=Linux
, build_type=Debug
or shared=True
.
If no additional qualifiers are used to distinguish Conan packages build with different settings or options, then the purl is ambiguous and it is up to the user to work out which package is being referred to (e.g. with context information).
Examples:
pkg:conan/[email protected] pkg:conan/openssl.org/[email protected]?user=bincrafters&channel=stable pkg:conan/openssl.org/[email protected]?arch=x86_64&build_type=Debug&compiler=Visual%20Studio&compiler.runtime=MDd&compiler.version=16&os=Windows&shared=True&rrev=93a82349c31917d2d674d22065c7a9ef9f380c8e&prev=b429db8a0e324114c25ec387bfd8281f330d7c5c
conda
for Conda packages:
The default repository is
https://repo.anaconda.com
The
name
is the package nameThe
version
is the package versionThe qualifiers:
build
is the build string.channel
is the package stored location.subdir
is the associated platform.type
is the package type.Examples:
pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2
cran
for CRAN R packages:
The default repository is
https://cran.r-project.org
The
name
is the package name and is case sensitive, but there cannot be two packages on CRAN with the same name ignoring case.The
version
is the package version.Examples:
pkg:cran/[email protected] pkg:cran/[email protected] pkg:cran/[email protected]
deb
for Debian, Debian derivatives, and Ubuntu packages:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a base url as arepository_url
qualifiers keyThe
namespace
is the "vendor" name such as "debian" or "ubuntu". It is not case sensitive and must be lowercased.The
name
is not case sensitive and must be lowercased.The
version
is the version of the binary (or source) package.arch
is the qualifiers key for a package architecture. The special valuearch=source
identifies a Debian source package that usually consists of a Debian Source control file (.dsc) and corresponding upstream and Debian sources. Thedpkg-query
command can print thename
andversion
of the corresponding source package of a binary package:dpkg-query -f '${source:Package} ${source:Version}' -W <binary package name>
Examples:
pkg:deb/debian/[email protected]?arch=i386&distro=jessie pkg:deb/debian/[email protected]?arch=amd64&distro=stretch pkg:deb/ubuntu/[email protected]?arch=amd64 pkg:deb/debian/attr@1:2.4.47-2?arch=source pkg:deb/debian/attr@1:2.4.47-2%2Bb1?arch=amd64
docker
for Docker images
The default repository is
https://hub.docker.com
The
namespace
is the registry/user/organization if presentThe version should be the image id sha256 or a tag. Since tags can be moved, a sha256 image id is preferred.
Examples:
pkg:docker/cassandra@latest pkg:docker/smartentry/debian@dc437cc87d10 pkg:docker/customer/dockerimage@sha256%3A244fd47e07d10?repository_url=gcr.io
gem
for Rubygems:
The default repository is
https://rubygems.org
The
platform
qualifiers key is used to specify an alternative platform such asjava
for JRuby. The implied default isruby
for Ruby MRI.Examples:
pkg:gem/[email protected] pkg:gem/[email protected]?platform=java
generic
for plain, generic packages that do not fit anywhere else such as
for "upstream-from-distro" packages. In particular this is handy for a plain
version control repository such as a bare git repo.
There is no default repository. A
download_url
andchecksum
may be provided in qualifiers or as separate attributes outside of apurl
for proper identification and location.When possible another or a new purl
type
should be used instead of using thegeneric
type and eventually contributed back to this specificationas for other
type
, thename
component is mandatory. In the worst case it can be a file or directory name.Examples (truncated for brevity):
pkg:generic/[email protected] pkg:generic/[email protected]?download_url=https://openssl.org/source/openssl-1.1.0g.tar.gz&checksum=sha256:de4d501267da pkg:generic/bitwarderl?vcs_url=git%2Bhttps://git.fsfe.org/dxtr/bitwarderl%40cc55108da32
github
for Github-based packages:
The default repository is
https://github.com
The
namespace
is the user or organization. It is not case sensitive and must be lowercased.The
name
is the repository name. It is not case sensitive and must be lowercased.The
version
is a commit or tagExamples:
pkg:github/package-url/purl-spec@244fd47e07d1004 pkg:github/package-url/purl-spec@244fd47e07d1004#everybody/loves/dogs
golang
for Go packages
There is no default package repository: this is implied in the namespace using the
go get
command conventionsThe
namespace
and name must be lowercased.The
subpath
is used to point to a subpath inside a packageThe
version
is often empty when a commit is not specified and should be the commit in most cases when available.Examples:
pkg:golang/github.com/gorilla/context@234fd47e07d1004f0aed9c pkg:golang/google.golang.org/genproto#googleapis/api/annotations pkg:golang/github.com/gorilla/context@234fd47e07d1004f0aed9c#api
hackage
for Haskell packages
The default repository is https://hackage.haskell.org.
The version is package version.
The name is case sensitive and use kebab-case
Examples:
pkg:hackage/[email protected] pkg:hackage/[email protected] pkg:hackage/[email protected]
hex
for Hex packages
The default repository is
https://repo.hex.pm
.The
namespace
is optional; it may be used to specify the organization for private packages on hex.pm. It is not case sensitive and must be lowercased.The
name
is not case sensitive and must be lowercased.Examples:
pkg:hex/[email protected] pkg:hex/acme/[email protected]. pkg:hex/[email protected]#priv/static/phoenix_html.js pkg:hex/[email protected]?repository_url=https://myrepo.example.com
maven
for Maven JARs and related artifacts
The default repository is
https://repo.maven.apache.org/maven2
The group id is the
namespace
and the artifact id is thename
Known qualifiers keys are:
classifier
andtype
as defined in the POM documentation. Note that Maven uses a concept / coordinate called packaging which does not map directly 1:1 to a file extension. In this use case, we need to construct a link to one of many possible artifacts. Maven itself uses type in a dependency declaration when needed to disambiguate between them.Examples:
pkg:maven/org.apache.xmlgraphics/[email protected] pkg:maven/org.apache.xmlgraphics/[email protected]?type=pom pkg:maven/org.apache.xmlgraphics/[email protected]?classifier=sources pkg:maven/org.apache.xmlgraphics/[email protected]?type=zip&classifier=dist pkg:maven/net.sf.jacob-projec/[email protected]?classifier=x86&type=dll pkg:maven/net.sf.jacob-projec/[email protected]?classifier=x64&type=dll
npm
for Node NPM packages:
The default repository is
https://registry.npmjs.org
The
namespace
is used for the scope of a scoped NPM package.Per the package.json spec, new package "must not have uppercase letters in the name", therefore the must be lowercased.
Examples:
pkg:npm/[email protected] pkg:npm/%40angular/[email protected] pkg:npm/[email protected]?vcs_url=git://host.com/path/to/repo.git%404345abcd34343
nuget
for NuGet .NET packages:
The default repository is
https://www.nuget.org
There is no
namespace
per se even if the common convention is to use dot-separated package names where the first segment isnamespace
-like.Examples:
pkg:nuget/[email protected]
oci
for all artifacts stored in registries that conform to the
OCI Distribution Specification,
including container images built by Docker and others:
There is no canonical package repository for OCI artifacts. Therefore
oci
purls must be registry agnostic by default. To specify the repository, provide arepository_url
value.OCI purls do not contain a
namespace
, although,repository_url
may contain a namespace as part of the physical location of the package.The
name
is not case sensitive and must be lowercased. The name is the last fragment of the repository name. For example if the repository name islibrary/debian
then thename
isdebian
.The
version
is thesha256:hex_encoded_lowercase_digest
of the artifact and is required to uniquely identify the artifact.Optional qualifiers may include:
arch
: key for a package architecture, when relevantrepository_url
: A repository URL where the artifact may be found, but not intended as the only location. This value is encouraged to identify a location the content may be fetchedtag
: artifact tag that may have been associated with the digest at the time
Examples:
pkg:oci/debian@sha256%3A244fd47e07d10?repository_url=docker.io/library/debian&arch=amd64&tag=latest pkg:oci/debian@sha256%3A244fd47e07d10?repository_url=ghcr.io/debian&tag=bullseye pkg:oci/static@sha256%3A244fd47e07d10?repository_url=gcr.io/distroless/static&tag=latest pkg:oci/hello-wasm@sha256%3A244fd47e07d10?tag=v1
pub
for Dart and Flutter packages:
The default repository is
https://pub.dartlang.org
Pub normalizes all package names to be lowercase and using underscores. The only allowed characters are [a-z0-9_].
More information on pub naming and versioning is available in the [pubspec documentation](https://dart.dev/tools/pub/pubspec)
Examples:
pkg:pub/[email protected] pkg:pub/[email protected]
pypi
for Python packages:
The default repository is
https://pypi.python.org
PyPi treats
-
and_
as the same character and is not case sensitive. Therefore a Pypi packagename
must be lowercased and underscore_
replaced with a dash-
Examples:
pkg:pypi/[email protected] pkg:pypi/[email protected]
rpm
for RPMs:
There is no default package repository: this should be implied either from the
distro
qualifiers key or using a repository base url asrepository_url
qualifiers keythe
namespace
is the vendor such as fedora or opensuse It is not case sensitive and must be lowercased.the
name
is the RPM name and is case sensitive.the
version
is the combined version and release of an RPMepoch
(optional for RPMs) is a qualifier as it's not required for unique identification, but when the epoch exists we strongly encourage using itarch
is the qualifiers key for a package architectureExamples:
pkg:rpm/fedora/[email protected]?arch=i386&distro=fedora-25 pkg:rpm/[email protected]?arch=i686&epoch=1&distro=fedora-25
swid
for ISO-IEC 19770-2 Software Identification (SWID) tags:
- There is no default package repository.
- The
namespace
is the optional name and regid of the entity with a role of softwareCreator. If specified, name is required and is the first segment in the namespace. If regid is known, it must be specified as the second segment in the namespace. A maximum of two segments are supported. - The
name
is the name as defined in the SWID SoftwareIdentity element - The
version
is the version as defined in the SWID SoftwareIdentity element - The qualifier
tag_id
must not be empty and corresponds to the tagId as defined in the SWID SoftwareIdentity element. Per the SWID specification, GUIDs are recommended. If a GUID is used, it must be lowercase. If a GUID is not used, the tag_id qualifier is case aware but not case sensitive - The qualifier
tag_version
is an optional integer and corresponds to the tagVersion as defined in the SWID SoftwareIdentity element. If not specified, defaults to 0 - The qualifier
patch
is optional and corresponds to the patch as defined in the SWID SoftwareIdentity element. If not specified, defaults to false - The qualifier
tag_creator_name
is optional. If the tag creator is different from the software creator, the tag_creator_name qualifier should be specified - The qualifier
tag_creator_regid
is optional. If the tag creator is different from the software creator, the tag_creator_regid qualifier should be specified
Use of known qualifiers key/value pairs such as download_url
can be used to specify where the package was retrieved from.
Examples:
pkg:swid/Acme/example.com/[email protected]?tag_id=75b8c285-fa7b-485b-b199-4745e3004d0d pkg:swid/Fedora@29?tag_id=org.fedoraproject.Fedora-29 pkg:swid/Adobe+Systems+Incorporated/Adobe+InDesign@CC?tag_id=CreativeCloud-CS6-Win-GM-MUL
swift
for Swift packages:
There is no default package repository: this should be implied from
namespace
The
namespace
is source host and user/organization and is required.The
name
is the repository name.The
version
is the package version and is required.Examples:
pkg:swift/github.com/Alamofire/[email protected] pkg:swift/github.com/RxSwiftCommunity/[email protected]
alpine
for Alpine Linux apk packages:apache
for Apache projects packages:android
for Android apk packages:atom
for Atom packages:bower
for Bower JavaScript packages:brew
for Homebrew packages:buildroot
for Buildroot packagescarthage
for Cocoapods Cocoa packages:chef
for Chef packages:chocolatey
for Chocolatey packagesclojars
for Clojure packages:cocoapods
for Cocoapods iOS packages:coreos
for CoreOS packages:cpan
for CPAN Perl packages:ctan
for CTAN TeX packages:crystal
for Crystal Shards packages:drupal
for Drupal packages:dtype
for DefinitelyTyped TypeScript type definitions:dub
for D packages:elm
for Elm packages:eclipse
for Eclipse projects packages:gitea
for Gitea-based packages:gitlab
for Gitlab-based packages:gradle
for Gradle pluginsguix
for Guix packages:haxe
for Haxe packages:helm
for Kubernetes packagesjulia
for Julia packages:lua
for LuaRocks packages:melpa
for Emacs packagesmeteor
for Meteor JavaScript packages:nim
for Nim packages:nix
for Nixos packages:opam
for OCaml packages:openwrt
for OpenWRT packages:osgi
for OSGi bundle packages:p2
for Eclipse p2 packages:pear
for Pear PHP packages:pecl
for PECL PHP packages:perl6
for Perl 6 module packages:platformio
for PlatformIO packages:ebuild
for Gentoo Linux portage packages:puppet
for Puppet Forge packages:sourceforge
for Sourceforge-based packages:sublime
for Sublime packages:terraform
for Terraform modulesvagrant
for Vagrant boxesvim
for Vim scripts packages:wordpress
for Wordpress packages:yocto
for Yocto recipe packages:
This document is licensed under the MIT license