Use PURL in VersionAPIs

[keshav-space]

It's time we start using PURL instead of ambiguous pkg package_name in VersionAPIs

https://github.com/nexB/vulnerablecode/blob/d0aba2097c800fe137661fbe174b1b4a32c4907b/vulnerabilities/package_managers.py#L108-L113

>>> PypiVersionAP.fetch("django")
>>> ComposerVersionAPI().fetch("typo3/cms-core")
>>> MavenVersionAPI().fetch("org.apache:kafka"))
>>> GoproxyVersionAPI().fetch("github.com/FerretDB/FerretDB")
>>> NugetVersionAPI().fetch("Exfat.Ntfs")
>>> GitHubTagsAPI().fetch("nexB/scancode-toolkit")

This would provide a standardized and unambiguous way of invoking fetch() method across different VersionAPIs.

[pombredanne]

Yes! and eventually these should be in FetchCode

[AlekSi]

Uh-oh, is FerretDB vulnerable?

[keshav-space]

Completed in aboutcode-org/fetchcode#93 and #1354.
Also code for fetching all package version is consolidated in FetchCode https://github.com/aboutcode-org/fetchcode/blob/master/src/fetchcode/package_versions.py and the new API based on PURL.

fetchcode.package_versions.versions(<PackageURL>)