From ff6ac7db9dfb105a6ba2384258fa2b553fccb07b Mon Sep 17 00:00:00 2001
From: Oliver Chang <oliverchang@users.noreply.github.com>
Date: Wed, 30 Oct 2024 08:39:37 +1100
Subject: [PATCH] Clarify PURL requirements. (#300)

PURLs should not include the `@version` component when used in OSV.

`affected[].ranges[]`  should be used for this purpose.

Signed-off-by: Oliver Chang <oliverchang@users.noreply.github.com>
---
 docs/schema.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/schema.md b/docs/schema.md
index 467e5cc..910e588 100644
--- a/docs/schema.md
+++ b/docs/schema.md
@@ -667,7 +667,8 @@ within its ecosystem. The two fields must both be present, because the
 
 The `purl` field is a string following the
  [Package URL specification](https://github.com/package-url/purl-spec) that
-identifies the package. This field is optional but recommended.
+identifies the package, without the `@version` component.
+This field is optional but recommended. 
 
 Different ecosystems can define the same names; they identify different
 packages. For example, these denote different libraries with different sets of