For all its expressiveness of the CPE format I find PURLs much easier to work with. Especially when it comes to software that doesn't fall neatly into the classic vendor/product split like what CPE envisions.
Yeah, the CPE idea of a vendor for an open source package does not compute too well!
FWIW, PURL came about as I could NOT put my mind around CPEs when I was scanning for package and deps with scancode and could not find any easy way to go from that to looking up a vulnerability/CVE in the NVD, as it was all guesswork and manual.
So we started instead to put the vuln data in our own db, keyed by something that would be easy to relate from the scans. This eventually became PURL
