Create repo purls for GIT ecosystem ranges

[bwt-sloanj]

The CVE ID
https://osv.dev/vulnerability/CVE-2019-25219

Describe the data quality issue observed
PURL entries are provided for the Debians. The Git repo could also have a PURL, in this case: pkg:generic/github.com/chriskohlhoff/asio@asio-x-y-z where the version comes from the tagging scheme used in that repo.

Suggested changes to record
Add a PURL for the Git repo. This supports the use case where the code is being packaged directly by the consumer, as opposed to installed via the Debian.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[jess-lowe]

Hi @bwt-sloanj, thanks for reporting! While we definitely agree that pURLs would be very useful, we are beholden to the data we get from upstream sources. In this case, the upstream source is the NVD, which do not provide pURLs currently.

We would love to accept a contribution for a reliable and scalable pURL converter for git repositories if anyone were willing to attempt it :)