Description

It would be very useful to generate SBOM with purl entries through purl2cpe which is licensed under MIT. My basic idea would be to fill purl entries depending on what is returned by purl2cpe database. Here is an example:

sqlite> select distinct purl from purl2cpe where cpe like "%d-bus_project:d-bus%";
pkg:deb/debian/dbus
pkg:deb/ubuntu/dbus
pkg:github/freedesktop/dbus
pkg:rpm/fedora/dbus

Why?

With purl, SBOM managers will retrieve useful upstream information: latest version, repository activity, etc.

Environment context (optional)

Currently, cve-bin-tool is used during our pentests to detect vulnerable components and ask manufacturers to upgrade them.
We're now starting to also use cve-bin-tool to generate SBOM.
Hopefully, SBOM should help the project manager to handle CVEs through out the product lifecycle.
Ideally, SBOM should be provided by manufacturers but for the moment, cve-bin-tool generates better SBOM than the manufacturer ...

Anything else?

I'm not sure where purl2cpe should be integrated: in cve-bin-tool or in lib4sbom?