CPE definition on pkg.Package is coupled to an external package as a type alias

[wagoodman]

Today we have the CPEs field on the pkg.Package struct:

syft/syft/pkg/package.go

Line 28 in c5d15d1

CPEs []cpe.CPE `hash:"ignore"` // all possible Common Platform Enumerators (note: this is NOT included in the definition of the ID since all fields on a CPE are derived from other fields)

However, the cpe.CPE definition is a type alias:

syft/syft/cpe/cpe.go

Line 11 in c5d15d1

type CPE = wfn.Attributes

This isn't good for a couple of reasons:

• type aliases are really intended for making refactors easier, not for permanently defining a type
• the underlying type behavior or shape can change out from underneath us without warning

Ideally we should have an internal type that represents a CPE and has the basic functionality we need within syft. Downstream consumers (such as grype) that require additional behaviors (e.g. CPE matching or comparison) should use abstractions to protect against direct use of the upstream wfn package.

[willmurphyscode]

I think that making an identically laid out struct that Syft controls, and wrapping the type conversion in helper methods will prevent us from having break changes here. Example conversion: https://go.dev/play/p/f5VDwwTYBb8.