- in most cases, no guesses needed - you can use it in Cyclone, SPDX, and CSAF and still talk about the same package even if the format varies - CVE.org is considering it as an addition on the same footing as CPE - there a good bunch of databases that "speak" PURL, like Google OSV, Sonatype OSS Index, Deps.dev, and AboutCode's PurlDB and VulnerableCode (disclosure: I am a lead maintainer for AboutCode FOSS projects) - most scanners speak PURL too.

Note that same scanners and tools speak not exactly PURL but some "PURLish" dialect and we have a project to help streamline that and lift up the whole ecosystem of PURL users with https://nlnet.nl/project/purlvalidator/