Add cpe identifiers to OS products

[noqcks]

After the discussion in purl-spec around adding an os candidate type was rejected, I went to thinking about what identifiers we could use to match OS releases.

@captn3m0 mentioned using CPEs in Integrate with the SBOM Ecosystem #763

Steve Springett mentioned using the PURL swid type in this comment

I think that endoflife.date could support both. But the only thing to note about the swid type in the purl spec is that the qualifier tag_id is NOT optional. This is the only qualifier I'm aware of that's not optional. I think that because of this, matching on swid would be much more difficult than matching on CPEs, if we wanted to remain compliant with purl-spec (probably should).

So, in order to find some kind of path forward, I added this PR, which adds cpes 2.2 and 2.3 for different operating systems. Most of these CPEs I grabbed from syft.

The identifier I added is like - cpe: <cpe2.2> or - cpe: <cpe2.3> but we could also namespace according to cpe version in the key such as - cpe22 or - cpe23, looking for your feedback.

[captn3m0]

This is great!

There's a few collections of os-release files on the internet that might be helpful. https://github.com/chef/os_release is one, and I think @woodruffw also maintains a better one somewhere - i can't find a link to it right now.

Another one here: https://gist.github.com/natefoo/814c5bf936922dad97ff

[captn3m0]

Merging this in favor of multiple small PRs for this effort to avoid one-large-PR which might face conflicts.

[woodruffw]

There's a few collections of os-release files on the internet that might be helpful. https://github.com/chef/os_release is one, and I think @woodruffw also maintains a better one somewhere - i can't find a link to it right now.

It's possible, but I don't actually remember maintaining one 😅

[noqcks]

I believe I found the collection of os-release files you were looking for @captn3m0 https://github.com/nexB/container-inspector/tree/main/tests/data/distro/os-release