Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.

Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.

Fortunately, there is a way to express the pURL and CPE ID in the SPDX Package using the ExternalRef property.  If you add these properties, tools such as the SPDX to OSV will pick up the references and use them to uniquely identify the packages.

Here’s an example in JSON format for a CPE 2.3 ID:

  "packages" : [ {

                   "SPDXID" : "SPDXRef-Package",

                   "externalRefs" : [ {

                     "referenceCategory" : "SECURITY",

                     "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",

                     "referenceType" : "cpe23Type"

                   },  …

See the ExternalRef subsection of the spec and the External Repository Identifiers Annex for more details.

Regards,
Gary