diff --git a/ChangeLog.md b/ChangeLog.md
index 5f47898..075740a 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -8,6 +8,7 @@
 ## NEXT
 
 * Be more resilient about missing metadata in CycloneDX SBOMs.
+* `project createbom` uses purl from SW360 if available instead of building it
 
 ## 2.0.0 (2023-06-02)
 
diff --git a/capycli/project/create_bom.py b/capycli/project/create_bom.py
index 507fc3f..1fd4056 100644
--- a/capycli/project/create_bom.py
+++ b/capycli/project/create_bom.py
@@ -93,10 +93,13 @@ def create_project_bom(self, project_id) -> list:
                 rel_item["Language"] = self.list_to_string(release_details.get("languages", ""))
                 rel_item["SourceCodeDownloadUrl"] = release_details.get("sourceCodeDownloadurl", "")
                 rel_item["BinaryDownloadUrl"] = release_details.get("binaryDownloadurl", "")
-                rel_item["Purl"] = self.get_external_id("purl", release_details)
-                if not rel_item["Purl"]:
+
+                rel_item["RepositoryId"] = self.get_external_id("package-url", release_details)
+                if not rel_item["RepositoryId"]:
                     # try another id name
-                    rel_item["Purl"] = self.get_external_id("package-url", release_details)
+                    rel_item["RepositoryId"] = self.get_external_id("purl", release_details)
+                if rel_item["RepositoryId"]:
+                    rel_item["RepositoryType"] = "package-url"
 
                 if "repository" in release_details:
                     rel_item["Repository"] = release_details["repository"].get("url", "")
diff --git a/tests/test_create_bom.py b/tests/test_create_bom.py
index 3896de6..438dee4 100644
--- a/tests/test_create_bom.py
+++ b/tests/test_create_bom.py
@@ -125,6 +125,50 @@ def test_project_not_found(self) -> None:
         except SystemExit as ex:
             self.assertEqual(ResultCode.RESULT_ERROR_ACCESSING_SW360, ex.code)
 
+    @responses.activate
+    def test_project_by_id(self):
+        sut = CreateBom()
+
+        self.add_login_response()
+        sut.login(token=TestBase.MYTOKEN, url=TestBase.MYURL)
+
+        # the project
+        project = self.get_project_for_test()
+        responses.add(
+            responses.GET,
+            url=self.MYURL + "resource/api/projects/p001",
+            json=project,
+            status=200,
+            content_type="application/json",
+            adding_headers={"Authorization": "Token " + self.MYTOKEN},
+        )
+
+        # the first release
+        responses.add(
+            responses.GET,
+            url=self.MYURL + "resource/api/releases/r001",
+            json=self.get_release_wheel_for_test(),
+            status=200,
+            content_type="application/json",
+            adding_headers={"Authorization": "Token " + self.MYTOKEN},
+        )
+
+        # the second release
+        release = self.get_release_cli_for_test()
+        # use a specific purl
+        release["externalIds"]["package-url"] = "pkg:deb/debian/cli-support@1.3-1"
+        responses.add(
+            responses.GET,
+            url=self.MYURL + "resource/api/releases/r002",
+            json=release,
+            status=200,
+            content_type="application/json",
+            adding_headers={"Authorization": "Token " + self.MYTOKEN},
+        )
+
+        cdx_bom = sut.create_project_cdx_bom("p001")
+        self.assertEqual(cdx_bom[0].purl, release["externalIds"]["package-url"])
+
     @responses.activate
     def test_project_show_by_name(self):
         sut = CreateBom()