stevespringett
commented
6 years ago Here's how the OWASP Dependency-Check and Dependency-Track community are using it.
For background... I am a core contributor to the Dependency-Check project, I'm also the project lead of the Jenkins plugin, SonarQube plugin, and OWASP Dependency-Track. I also am the creator of the CycloneDX BOM spec which is a lightweight alternative to SPDX.
NOTE: This is not an architectural diagram nor does it represent all the relationships between the various components. This diagrams sole purpose is to document how PackageURL is being used in this ecosystem.
As of today, most everything here is working. For Dependency-Check, this is already being used by thousands of organizations (including the capability of using CycloneDX BOMs with PackageURL support in the Jenkins plugin). Dependency-Track v3 is launching end of March 2018 (in a few weeks) with full support for everything here.
@stevespringett implemented Purl in his dependency-track which a package vulnerabilities tracker I think this is an awesome use case. https://github.com/search?l=&q=purl+user%3Astevespringett&ref=advsearch&type=Code&utf8=%E2%9C%93
We should have a page or doc of sorts that showcases adopters and users! For now some is in the spec alright but it should be eventually moved out of it and made more prominent,