It must have been a year or so ago when I was looking for an open source vulnerability scanner to use in a project I was working on. As I scoured the internet, I stumbled upon a project called "VulnerableCode" - a server that could run locally and would return vulnerability information if you called its API and gave it a Purl.

What's a Purl? It's an abbreviation for Package URL and it identifies a component that's used in a software we build. Think of it like a hyperlink that contains metadata such as ecosystem, name, version, among other things... 

Why is it so important? It's quite simple. If you have a component Purl, you can query a vulnerability database and get a list of CVEs that affect that component.

So we can think of a Purl as a key of sorts - and it shows up everywhere in a Software Bill of Materials. 

Anyway, let's get back to the story. 

The project I was working on? It was a little proof of concept CLI that would eventually become "bomber" - one of the first open source SBOM vulnerability scanners. I started prototyping using VulnerableCode but then moved on to vulnerability APIs that were available online, but I always wanted to return to VulnerableCode someday.

That day came in December last year when a new issue was created in the bomber project on GitHub. It was titled "Fetch Data from VulnerableCode" and was submitted by one of its creators, Philippe Ombredanne. When we finally connected via email a few months later, I found out a few very interesting things about Philippe.

First, he invented the Purl. 

Second. He's a long history with SPDX, CycloneDX, and Software Bill of Materials. 

Welcome back, to daBOM.