fix: include group/namespace across formats

[kzantow]

This PR is a follow-on from adding a PURL list format to Syft.

This PR removes the specialized PURL conversion to packages, instead allowing Syft to manage this as well as enhance provided SBOMs using data found in the PURL. The results of this is it fixes a number of issues that many package types were incomplete from SBOMs generated using tools other than Syft, which properly included the CycloneDX group field and/or namespace in the PURL. Additionally, per-package distro handling has been centralized to populate package distros regardless of import format, so SBOMs created with tools other than Syft are able to specify upstream packages and linux distributions on a per-package basis.

• Fixes Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities #2628
• Fixes Dropping group from npm package names leads to false positives #2554
• Fixes @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 #1886
• Fixes Vulnerability reported on @group/name dependency when actual vulnerability exists on name dependency #1701