purl-inspect
Inspect PURL for matching CVEs and vulnerabilities
Synopsis
Look up a specific package version in the DevGuard vulnerability database and display all known CVEs, their CVSS scores, EPSS exploit probability, and whether a fix is available.
A PURL (Package URL) is a standard way to identify a software package across ecosystems. The format is: pkg://@
For example: pkg:npm/lodash@4.17.20 (npm package) pkg:deb/debian/libc6@2.31-1 (Debian package) pkg:pypi/requests@2.25.0 (Python package)
The output also shows alias deduplication — when two CVE IDs refer to the same underlying vulnerability, DevGuard keeps only the canonical one and tells you which were removed.