rewrite mapping nix packages to cpe identifiers

[henrirosten]

NVD plans to retire legacy data feeds on 09/2023: https://nvd.nist.gov/products/cpe

Currently, sbomnix uses NVD "CPE Dictionary" in mapping the nix pakcages to CPE identifiers, see: https://github.com/tiiuae/sbomnix/blob/main/scripts/cpedict/update-cpedict.sh and https://github.com/tiiuae/sbomnix/blob/main/sbomnix/cpe.py.

We need to rethink how to properly do this in sbomnix to make it more accurate and so that it does not rely on the to-be-retired NVD data feed.

All suggestions or ideas how to improve the CPE mapping are welcome.