Investigate if custom registries should result in purl's with a different type from "cargo"

[amy-keibler]

From #226's

3. Is the purl standardized for Rust somewhere in the spec? What should the purl be for crates not distributed via crates.io?

The purl specification does not indicate a required type specific to Rust, beyond

type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.

Investigate what other CycloneDX tools are doing, particularly if they support private repositories. Rust supports private registries and indicates at a per-dependency level what registry it comes from, so we should be able to access this information if we want to use that as the purl's type for a dependency component and the [package]'s publish list for the package's component

[Shnatsel]

There is a dedicated qualifier for this:

repository_url is an extra URL for an alternative, non-default package repository or registry.

Source: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs

This is what is used in #523