fix: make a purl DT can recognize, add CPE

[djcrabhat]

Make the purl that is output align with what DependencyTrack expects. I understand this could potentially be breaking for those who expect the purl to be where the package was downloaded from. Added a details map Download-Url key for that old value.

Reference: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm

But I know that purl's don't seem that well supported for OS packages. So I'm also adding CPEs for RedHat. (I'm gonna trick DependencyTrack in to recognizing vulnerable packages, if by hook or by crook! 😆)

Closes #11

[stephan-wolf-ais]

Can somebody merge this PR please?