This page describes how Socket purls work

What is a Socket purl?

A Socket purl is based on the standard as documented [here](https://spdx.github.io/spdx-spec/v3.0/model/Software/Properties/packageUrl/#:~:text=A%20packageUrl%20(commonly%20pronounced%20and,identify%20and%20locate%20software%20packages.). There is a good description from that page:

A packageUrl (commonly pronounced and referred to as "purl") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.

A Socket purl as used with the packages API and the specific definition for the format can be found at the Github Spec.

Constructing a Socket purl

The format for a purl is like the following:

scheme:type/namespace/name@version

In the case of the Socket Packages endpoint the scheme is always going to be pkg. Here are some examples for different eccosystems:

npm

pkg:npm/[email protected]

Python

pkg:pypi/[email protected]

Maven

pkg:maven/log4j/[email protected]