Fetching vulnerabilities via api for ubuntu packages by purl with version does not work

[Andre-85]

Hello everyone,
I tried to fetch vulnerabilities via api with the purl (Package URL). The SBOM from which I am extracting the packages, the purl has following format: pkg:deb/ubuntu/PACKAGE_NAME@VERSION.

What I've tested:

1. the api works with purls like this for e.g. maven packages. Test: curl -d '{"package": {"purl": "pkg:maven/org.apache.struts/[email protected]"}}' https://api.osv.dev/v1/query)
2. Ubuntu purls work if i know the arch and the distribution. Test: curl -d '{"package": {"purl": "pkg:deb/ubuntu/ruby-sinatra?arch=src?distro=jammy"}}' https://api.osv.dev/v1/query
3. It works if I split the purl in package-name, version, namespace(==ecosystem). Test: curl -d '{"package": {"name": "atftp"}, "version": "0.7.git20120829-3.1~0.18.04.1", ecosystem: "ubuntu"}' https://api.osv.dev/v1/query
4. But giving the purl only for the same package and version like in 3., returns nothing. Test: curl -d '{"package": {"purl": "pkg:deb/ubuntu/[email protected]~0.18.04.1"}}' https://api.osv.dev/v1/query

Right now I use (3.) as a workaround, but i would be nice if it could work like (1.).

Thank you very much for your help in advance.

Greetings,
André