Identifying packages and vulnerabilities across ecosystems

Because no tech stack is an island running on a single programming language and in a single package ecosystem, we need a way to talk about packages and their versions across ecosystems. PURL and vers are an attempt to solve this problem and express package dependencies and vulnerabilities using a common language among multiple tools, SBOM formats and tech stacks.

In this video, Philippe Ombredanne (co-founder and CTO, nexB) and Hritik Vijay present Package-URL, a mostly universal way to reference packages across ecosystems which is emerging as a de-facto standard identifier for open source software packages.

They will introduce and explain a new universal notation for package version ranges, such as used when resolving package dependencies as in “I require package foo, version 2.0 or later versions” and referencing affected vulnerable package versions as in “vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5″. These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain. 

Video

Slides

Ready to learn more?

Share on LinkedIn
Share on Twitter
Share via Email
Share on Reddit

More videos

Ensuring software license compliance can be difficult.

We can help.

Ready to start scanning your code?

Need to automate FOSS compliance?