Fix PURL test failures, migrate cyclonedx-bom to purl crate

[Shnatsel]

cargo cyclonedx

Drop our custom percent encoding machinery now that the purl crate implements this for us. This was one hell of a rabbit hole, and it is a testament to the quality of the purl crate that they are actually handling this nonsense correctly now.

Fixes #745

cyclonedx-bom

Migrate from the very incomplete packageurl to the purl crate already used by cargo cyclonedx. We used to have two different PURL crates in the tree, this brings the number back to one. Also provide a more informative error message on validation errors.

Fixes #636

This is all still semver-compatible, because the packageurl crate was never actually exposed to the outside world. But this is a PR against main because I cannot be bothered to backport this.

[lfrancke]

Thank you for this. It looks good to me.

Should phylum-dev/purl#11 be closed if it's handled now?
They don't seem to have a changelog or release notes but I do see upstream commits on this.

[Shnatsel]

Good point, I closed the upstream issue.

[pombredanne]

@Shnatsel hey, can you tell me more about the purl vs. the packageurl crates? (My interest is as the creator of the PURL spec ;) )

[Shnatsel]

@pombredanne as of this PR, the purl crate was a lot more complete, actively maintained, and had a lot more effort put into correctness. For example, when I brought up strange percent encoding on their bug tracker, the authors investigated it in detail and eventually opened this PR against the spec: package-url/purl-spec#261

(I'd appreciate if you could take a look at that PR, it's a major interoperability hazard)

Meanwhile the packageurl crate has been effectively abandoned for some time by the time this PR was opened. Since then @ctron has gotten commit rights and revived it, but I don't know what direction they're taking it in, or what its current state is.