feat: Add support for Package URLs.

Signed-off-by: Andrew Lilley Brinker <[email protected]>

Author: alilleybrinker

schema/CVE_Record_Format.json

@@ -539,17 +539,54 @@
                     "items": {
                         "$ref": "#/definitions/cpe_match"
                     }
+                },
+                "purlMatch": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/purl_match"
+                    }
                 }
             },
             "allOf": [
                 { "required": ["operator"] },
                 {
                     "anyOf": [
-                        { "required": ["cpeMatch"] }
+                        { "required": ["cpeMatch"] },
+                        { "required": ["purlMatch"] }
                     ]
                 }
             ]
         },
+        "purl_match": {
+            "description": "purl match string or range",
+            "type": "object",
+            "properties": {
+                "vulnerable": {
+                    "type": "boolean"
+                },
+                "criteria": {
+                    "description": "Placeholder until we find a formal purl schema",
+                    "$ref": "#/definitions/uriType"
+                },
+                "matchCriteriaId": {
+                    "$ref": "#/definitions/uuidType"
+                },
+                "versionStartExcluding": {
+                    "$ref": "#/definitions/version"
+                },
+                "versionStartIncluding": {
+                    "$ref": "#/definitions/version"
+                },
+                "versionEndExcluding": {
+                    "$ref": "#/definitions/version"
+                },
+                "versionEndIncluding": {
+                    "$ref": "#/definitions/version"
+                }
+            },
+            "required": ["vulnerable", "criteria"],
+            "additionalProperties": false
+        },
         "cpeApplicabilityElement": {
             "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.",
             "properties": {