Replace qualifier with optional namespace for local packages

[ModestMannfred]

I am new to purl and sbom, so it is possible that I am not understanding this correctly.

From: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst

namespace: some name prefix such as a Maven groupid, a Docker image owner, a GitHub user or organization. Optional and type-specific. ... qualifiers: extra qualifying data for a package such as an OS, architecture, a distro, etc. Optional and type-specific.

If I have a local package, the current output is like this:

pkg:cargo/<name_of_package>@<version>?download_url=file%3A%2F%2F.

The file://. is kindof useless and is not actually a download url. These packages are proprietary and not available for direct download. Therefor, I propose the following:

pkg:cargo/<optional_namespace>/<name_of_package>@<version> subpath remains untouched.

I have implemented by providing an cli override argument --local-namespace=<STRING>, which replaces source=None with Some(NormalizedString::new(format!("local+{}", namespace))); in the cargo metadata output and parses it accordingly in purl.rs.

[lfrancke]

There was a lot of discussion around this in the PR that implemented this a while ago. This was the compromise we came up with.

https://cyclonedx.slack.com/archives/CVA0G10FN/p1698795100019359

I'm happy to reopen the discussion but I'm probably not the correct person to hold it as I lost track. Would you be able to jump on Slack and start it there?

We should bring the conclusion back here.