Dependency-Track logo Dependency-Track

Components often belong to one or more ecosystems. These ecosystems typically have one or more sources of truth that provide additional data about the components. For example, Maven Central and the NPM repository provide information about Java and Node components respectively. Likewise, NPM public advisories provides vulnerability intelligence specific to Node modules.

Dependency-Track has adopted an emerging spec called Package URL that provides a flexible way to represent metadata about components and their place in various ecosystems.

It’s highly recommended that every component being tracked by the system have a valid Package URL.

Package URL (purl)

Package URL was created to standardize how software package metadata is represented so that packages could universally be located regardless of what vendor, project, or ecosystem the packages belong. Package URL conforms to RFC-3986.

The syntax of Package URL is:

scheme:type/namespace/[email protected]?qualifiers#subpath


pkg:maven/org.apache.commons/[email protected]


pkg:gem/[email protected]?platform=java

pkg:npm/%40angular/[email protected]

pkg:nuget/[email protected]

pkg:pypi/[email protected]

Package URL and Dependency-Track

Dependency-Track uses Package URL in several ways:

The default scanner, if a Package URL is not specified for a component, is to use Dependency-Check’s ability to perform fuzzy matching against the NVD. This approach may work for some components, but in the case of Node modules, would lead to both false positives and negatives. If a valid Package URL was specified for a Node module for instance, Dependency-Track would use it’s own internal NPM audit scanner, thus providing more actionable and accurate results.

Dependency-Track (as of v3.1.0) also provides the ability to determine out-of-date components. It uses the Package URL of the component and maps it to a corresponding list of repositories that have been configured to support the components ecosystem.

Refer to Repositories for further information.

Package URL support in Bill-of-Materials

The CycloneDX BOM specification supports Package URL on a per-component basis. Users of the CycloneDX Maven plugin or CycloneDX Node module will automatically have valid Package URLs for every component in the resulting BOM.

When importing dependency-check-report.xml, Dependency-Track will attempt to automatically generate Package URLs for every component identified. Support is currently limited to Maven and npm.

When importing SPDX BOM documents, Package URL identification cannot be automatically determined, although support for Package URL may be coming to the SPDX specification in a future release.