Support for repository_url and vcs_url in purl field

[vaaralav]

It would be great if packages that are installed from non-NPM origin had the information in their purl.

For example

npm install git+ssh://git@github.com:npm/cli.git#v1.0.27

Would create a component with purl pkg:npm/cli@1.0.27?vcs_url=git+git+ssh://git@github.com:npm/cli.git#v1.0.27

Similarly repository_url could be added for packages installed from custom registries.

[stevespringett]

Do you know of a way that npm will return the repo in which the component was resolved from?

For example, an org has an internal Artifactory or Nexus repo they resolve all npm components from. CycloneDX would need to be able to identify the components that are accessible in the public npm repo (even if they also exist in a private repo) from the components that only reside in an alternate repo (artifactor/nexus or some other non-npm repo).

[jkowalleck]

this feature was implemented in https://github.com/CycloneDX/cyclonedx-node-npm/
please switch to the NPM flavour of this package.