Catch vulnerabilities in your projects, automatically on every pull request. Try Sonatype Lift for free. Install Lift

Coordinates

Coordinates system used by Sonatype OSS Index

Sonatype OSS Index uses Package-URL Specification to describe the coordinates of components (aka packages).

Component and package are interchangeable terms.

Syntax

A package-url (or purl) is a URI composed of six coordinate parts prefixed by pkg scheme:

pkg:type/namespace/name@version?qualifiers#subpath

A package-url with-out pkg scheme is also supported for backwards compatibility:

type:namespace/name@version?qualifiers#subpath

Coordinate Parts

Coordinate parts are separated by a specific character for unambiguous parsing:

type
The component "type" or "format" such as maven, npm, nuget, gem, pypi, etc.
Required
namespace
Some name prefix such as a Maven group-id, a NPM package scope, or a Docker image owner.
Optional and type-specific
name
The name of the component.
Required
version
The version of the component.
Optional
qualifiers
Extra qualifying data for a component such as an OS, architecture, a distro, etc.
Optional, type-specific, ignored
subpath
Extra sub-path within a component, relative to the package root.
Optional, ignored