Distro release is included in LinuxComponent.Id but not Purl #1714
Description
When computing LinuxComponent Id, the distro release is included:
protected override string ComputeBaseId() => $"{this.Distribution} {this.Release} {this.Name} {this.Version} - {this.Type}";
But it is not included in the Purl:
return new PackageURL(packageType, this.Distribution, this.Name, this.Version, null, null);
This means that the component Id identifies packages more precisely than the Purl. However, since the component Id is not persisted to the SBOM (the Purl is), it can't be used directly for deduplication, or roundtrip or downstream resolution of packages. The Purl could be used, but doesn't match the precision of the component ID, so could over-match.
One possibility - and I think this is what Syft does - would be to attach a distro qualifier to the Purl:
pkg:deb/ubuntu/curl@7.68.0?distro=ubuntu-20.04
Perhaps another approach would be to simply flow through the Syft-composed Purl.