Referencing Package URL (purl) and Component Identifiers

While most of our examples for using REST APIs, managing policies , and analysis demonstrate referencing components/packages in the Maven format, Sonatype IQ Server also supports several other formats.

Usually, there are two ways of representing a component:

  • Component Identifier: Each format has a specific component identifier layout that must be used. These component identifiers consist of the format plus the format-specific coordinates.
  • Package URL (purl): Each format has specific url components that must be used. These url components consist of the format plus the format-specific coordinates.

Understanding component identifiers for a particular format allows you to use the same REST API operations with other formats. This is done by substituting component identifiers for a different format in the same operation, with some coordinates for the component identifier being required while others are optional.

Some API endpoints (such as the Component Versions REST API) may be more permissive than most REST API operations relating to missing coordinates. These may have more optional coordinates than listed on this page within the context of that particular operation.

Component identifiers for particular formats are listed below:

a-name

For a-name (authoritative name) component identifiers, the following coordinates are supported:

  • name

  • version

  • qualifier (optional)

Sample JSON for an a-name component identifier is provided below:

"componentIdentifier": {
  "format": "a-name",
  "coordinates": {
    "name": "pouchdb",
    "version": "6.3.1"
  }
}

Sample JSON for an a-name purl is provided below:

"packageUrl": "pkg:a-name/pouchdb@6.3.1"

maven

  • groupId
  • artifactId
  • version
  • extension
  • classifier (optional)

Sample JSON for a Maven component identifier is provided below:

"componentIdentifier": {
  "format": "maven",
  "coordinates": {
    "artifactId": "commons-fileupload",
    "groupId": "commons-fileupload",
    "version": "1.2.2",
    "extension":"jar"      
  }
}

Sample JSON for a Maven purl is provided below:

"packageUrl": "pkg:maven/commons-fileupload/commons-fileupload@1.2.2?type=jar"

npm

For npm component identifiers, the following coordinates are supported:

  • packageId
  • version

Sample JSON for a npm component identifier is provided below:

"componentIdentifier": {
  "format": "npm",
  "coordinates": {
    "packageId": "grunt-bower-submodule",
    "version": "0.2.3"
  }
}

Sample JSON for an npm purl is provided below:

"packageUrl": "pkg:npm/grunt-bower-submodule@0.2.3"

nuget

For Nuget component identifiers, the following coordinates are supported:

  • packageId
  • version

Sample JSON for a NuGet component identifier is provided below:

"componentIdentifier": {
  "format": "nuget",
  "coordinates": {
    "packageId": "Nirvana.MongoProvider",
    "version": "1.0.53"
  }
}

Sample JSON for a NuGet purl is provided below:

"packageUrl": "pkg:nuget/Nirvana.MongoProvider@1.0.53"

PyPI

For PyPI component identifiers, the following coordinates are supported:

  • name
  • version
  • qualifier (optional)
  • extension (optional since v113)

Sample JSON for a PyPI component identifier is provided below:

"componentIdentifier": {
  "format": "pypi",
  "coordinates": {
    "name": "jaraco.logging",
    "version": "1.5"
  }
}

Sample JSON for a PyPI purl is provided below:

"packageUrl": "pkg:pypi/jaraco.logging@1.5?extension=whl&qualifier=py2.py3-none-any"

rpm

For rpm component identifiers, the following coordinates are supported:

  • name
  • version
  • architecture 

Sample JSON for a rpm component identifier is provided below:

"componentIdentifier": {
  "format": "rpm",
  "coordinates": {
    "name": "AGReader",
    "version": "1.2-6.el6",
    "architecture": "ppc64"      
  }
}

Sample JSON for an RPM purl is provided below:

"packageUrl": "pkg:rpm/AGReader@.2-6.el6?arch=ppc64"

gem

For Gem component identifiers, the following coordinates are supported:

  • name
  • version
  • platform (optional)

Sample JSON for a Gem component identifier is provided below:

"componentIdentifier": {
  "format": "gem",
  "coordinates": {
    "name": "rails",
    "version": "5.0.4"
  }
}

Sample JSON for a gem purl is provided below:

"packageUrl": "pkg:gem/rails@5.0.4"

Golang

For Go component identifiers, the following coordinates are supported:

  • name
  • version

Sample JSON for a Go component identifier is provided below:

"componentIdentifier": {
  "format": "golang",
  "coordinates": {
    "name": "github.com/rs/cors",
    "version": "v1.4.0"
  }
}

Sample JSON for a Golang purl is provided below:

"packageUrl": "pkg:golang/github.com/rs/cors@v1.4.0"

Conan

For Conan component identifiers, the following coordinates are supported:

  • name
  • version
  • channel (optional)
  • owner (optional)

Sample JSON for a Conan component identifier is provided below:

"componentIdentifier": {
  "format": "conan",
  "coordinates": { 
	"channel": "", 
	"name": "libxml2", 
	"owner": "bincrafters", 
	"version": "2.9.8" 
  }
}

Sample JSON for a Conan purl is provided below:

"packageUrl": "pkg:conan/bincrafters/libxml2@2.9.8"

Conda

For Conda component identifiers, the following coordinates are supported:

  • name
  • version
  • channel (optional)
  • subdir (optional)
  • build (optional)
  • type (optional)

Sample JSON for a Conda component identifier is provided below:

"componentIdentifier": {
  "format": "conda",
  "coordinates": {
    "name": "openssl",
    "version": "1.0.2l",
    "channel": "main",
    "subdir": "linux-64",
    "build": "h077ae2c_5",
    "type": "tar.bz2"
   }
}

Sample JSON for a Conda purl is provided below:

"packageUrl": "pkg:conda/openssl@1.0.2l?channel=main&subdir=linux-64&build=h077ae2c_5&type=tar.bz2"

bower

For Bower component identifiers, the following coordinates are supported:

  • name
  • version

Sample JSON for a Bower component identifier is provided below:

"componentIdentifier": {
  "format": "bower",
  "coordinates": {
    "name": "js-yaml",
    "version": "2.0.1"
  }
}

Sample JSON for a Bower purl is provided below:

"packageUrl": "pkg:bower/js-yaml@2.0.1"

composer

For Composer component identifiers, the following coordinates are supported:

  • namespace
  • name
  • version

Sample JSON for a Composer component identifier is provided below:

"componentIdentifier": {
  "format": "composer",
  "coordinates": {
	"namespace": "components",
    "name": "jqueryui",
    "version": "1.11.4"
  }
}

Sample JSON for a Composer purl is provided below:

"packageUrl": "pkg:composer/components/jqueryui@1.11.4"

Cran

For Cran component identifiers, the following coordinates are supported:

  • name
  • version
  • type (optional)

Sample JSON for a Cran component identifier is provided below:

"componentIdentifier": {
  "format": "cran",
  "coordinates": {
    "name": "readxl",
    "version": "1.1.0",
    "type": "tar.gz"
  }
}

Sample JSON for a Cran purl is provided below:

"packageUrl": "pkg:cran/readxl@1.1.0?type=tar.gz"

cargo

For Cargo component identifiers, the following coordinates are supported:

  • name
  • version
  • type (optional)

Sample JSON for a Cargo component identifier is provided below:

"componentIdentifier": {
  "format": "cargo",
  "coordinates": {
    "name": "grin",
    "version": "1.0.0",
    "type": "crate"
  }
}

Sample JSON for a Cargo purl is provided below:

"packageUrl": "pkg:cargo/grin@1.0.0?type=crate"

CocoaPods

For CocoaPods component identifiers, the following coordinates are supported:

  • name
  • version

Sample JSON for a CocoaPods component identifier is provided below:

"componentIdentifier": {
  "format": "cocoapods",
  "coordinates": {
    "name": "libpng",
    "version": "1.4.9"
  }
}

Sample JSON for a CocoaPods purl is provided below:

"packageUrl": "pkg:cocoapods/libpng@1.4.9"

Debian

For Debian package identifiers, the following coordinates are supported:

  • name
  • namespace
  • version

Sample JSON for a Debian component identifier is provided below:

"componentIdentifier": {
  "format": "deb",
  "coordinates": {
    "name": "stunnel",
    "namespace": "debian",
    "version": "3.20.0"
  }
}

Sample JSON for a Debian purl is provided below:

"packageUrl": "pkg:deb/debian/stunnel@3.20.0"

alpine

For Alpine package identifiers, the following coordinates are supported:

  • name
  • version

Sample JSON for an Alpine component identifier is provided below:

"componentIdentifier": {
  "format": "alpine",
  "coordinates": {
    "name": "openssl",
    "version": "0.9.4"
  }
}

Sample JSON for an Alpine purl is provided below:

"packageUrl": "pkg:alpine/openssl@0.9.4"

Drupal

For Drupal package identifiers, the following coordinates are supported:

  • name
  • version

Sample JSON for a Drupal component identifier is provided below:

"componentIdentifier": {
  "format": "drupal",
  "coordinates": {
    "name": "simplenews",
    "version": "2.0.0"
  }
}

Sample JSON for a Drupal purl is provided below:

"packageUrl": "pkg:drupal/simplenews@2.0.0"

pecoff

For Pecoff identifiers, the following coordinates are supported:

  • name
  • namespace (optional)
  • version

Sample JSON for a Pecoff component identifier is provided below:

"componentIdentifier": {
  "format": "pecoff",
  "coordinates": {
    "name": "0Harmony.dll",
    "namespace":"BepInEx/HarmonyX"
    "version": "2.0.0.0"
  }
}

Sample JSON for a Pecoff purl is provided below:

"packageUrl": "pkg:generic/BepInEx/HarmonyX/0Harmony.dll@2.0.0.0?nexustype=pecoff"

SINCE RELEASE 101 

"pkg:generic/0Harmony.dll@2.0.0.0?nexusnamespace=BepInEx%2FHarmonyX&nexustype=pecoff"

Swift 

NEW IN RELEASE 118

For swift identifiers, the following coordinates are supported:

  • name
  • version

Sample JSON for a swift component identifier is provided below:

"componentIdentifier": {
  "format": "swift",
  "coordinates": {
    "name": "github.com/ReactiveX/RxSwift",
    "version": "5.1.0"
  }
}

Sample JSON for a swift purl is provided below:

"packageUrl": "pkg:swift/github.com/ReactiveX/RxSwift@5.1.0"