Support for PackageURL in Security Advisories and Vulnerabilities


Currently, securityVulnerabilities has an ecosystem and a package field. Ideally, these would be removed and replaced with PackageURL, a specification currently adopted by OWASP Dependency-Track, Sonatype OSSIndex, SPDX (Linux Foundation), and others (and many more in the works or considering implementation)

Since components are now being represented by their PackageURL, it only makes sense to perform queries against the PackageURL. Sonatype OSSIndex is a good example of this.