collectionURL proposal

[chandanbn]

Replace package_ecosystem with more flexible future-proof collectionURL with examples of popular software package repos.

A hardcoded enum of short names for popular package ecosystems has few shortcomings:

• it would require schema changes to update,
• it limits the CNAs from using a new package ecosystem if it is not on the list,
• there does not exist any central registry, standard or name-conflict resolution or governance for names for package ecosystems. CVE program does not want to take ownership of that.

CVE Quality working group discussed various alternatives, recommends replacing current package_ecosystem definition with collectionURL.

This proposal does not exclude the use of other software identifying information such a PURL/SPDX/SWID.

[chandanbn]

package_name and package_ecosystem also need to be removed from the required array of product. I assume collectionURL should be required too?

Can we also add some notes on why this is replacing package_ecosystem for those not subscribed to the AWG mailing list where it was discussed?

Otherwise, lgtm!

Fixed the required definitions.

collectionURL should be optional as not every product is delivered via a well structured package repository.