purl-next: Create PURL accuracy benchmarks

[pombredanne]

We need to create PURL accuracy benchmark to ensure tools create accurate and valid PURLs.

Why? Most SCA tools provide poor results with invalid, or incorrect list of PURLs. We will handle invalid elsewhere, and the goal here is to create benchmarks using public projects, where we state what the correct output should be: that's not only about validating PURLs per se, that's validating scans as containing valid PURLs.

The plan is to perform the analysis in multiple steps or increments.

The output could be one of:

• a kissbom list of PURLs with license and copyright, OR
• a CycloneDX SBOM, OR
• an SPDX SBOM.

Ideally we should stay clear from a specific SBOM format to have something that is super simple to handle.

Some open source inputs to consider:

• A base RedHat container image (UBI)
• A base Debian or Ubuntu container image
• A large Go-based web application (with k8s)
• A large Python-based web application
• A large Java/JS-based application

With the input, we want to:

• Scan each
• validate that the PURLs are correct and are complete and exact (no more no less)

The final output should be as simple as a list of PURLs found in each (plus some metadata, URLs, etc.

The usage of these will be that any tool should be able to scan the inputs and validate that its output matches the list of PURLs.

[mjherzog]

@pombredanne We need clarity about which "tools" are to be evaluated for creating accurate PURLs. Are we evaluating FetchCode/PURLDB and the accuracy of the PURLs created by those tools?
Is the simple SBOM output from PURLDB or from somewhere else?

[chinyeungli]

Per @pombredanne comment, the current work at #49 (comment) has covered #49 package-url#50 and package-url#51