Forget SBOMs, use PURLs

<p>SBOMs have become the poster child of supply chain security. Everyone's generating them, regulators are demanding them, and compliance tools are built around them. But, the same package gets identified differently across tools, ecosystems, and standards. You end up with multiple SBOMs for the same software that can't be correlated, cross-referenced, or meaningfully compared - or actionable for vulnerability exploitability and remediation.</p> <p>Package-URLs (PURLs: https://github.com/package-url/purl-spec) solve the identification problem to make SBOMs actually useful. A PURL provides a universal, standardized identifier for any package across any ecosystem. This simple spec makes supply chain tooling interoperable, enabling vulnerability databases, compliance tools, and SBOM generators to speak the same language about packages, regardless of source.</p> <p>This talk covers the latest PURL developments that are making it essential infrastructure: validation tools, expanded ecosystem support including AI/ML model identifiers, growing adoption in major security tools and databases, integration into SBOM standards like SPDX and CycloneDX, and community-driven efforts to standardize package identification across the entire supply chain landscape. We'll show real examples where PURLs enable cross-ecosystem vulnerability tracking, make SBOM validation actually possible, and simplify compliance workflows by providing a common identifier system everyone can use.</p> <p>The title is provocative, but the reality is complementary: SBOMs describe your software's composition, PURLs make those descriptions machine-readable and universally meaningful. You'll leave understanding how PURLs are becoming critical infrastructure for supply chain security, why major projects and ecosystems are adopting PURL, and how to integrate PURLs into your own tooling and compliance automation workflows.</p>