add PURL field to apkv3 package data
Security scanners have issues with disambiguating distribution package names (which exist in a flat namespace) verses upstream package names. In Alpine, a notable example of this would be the lua packages, e.g. lua5.1
, lua5.2
, etc. In these cases, scanners are unable to deduce that lua5.1
is equivalent to upstream lua~5.1
(e.g. lua 5.1.x).
An emergent industry standard to allow for disambiguation is the Package URL specification. We should store this data in APKs, to help the scanners disambiguate.
(This would also require us to add PURLs where needed in our package build recipes, e.g. aports et al. But this is out of scope for here.)