Simplify purls for Cargo

[chmeliik]

Looking at the purls that Hermeto generates for Cargo packages, I was surprised to see that even the "happy path" case (a normal dependency from the default crates.io registry) gets a complicated purl:

pkg:cargo/data-encoding@2.7.0?checksum=0e60eed09d8c01d3cee5b7d30acb059b76614c918fa0f992e0dd6eeb10daad6f&source=registry%2Bhttps://github.com/rust-lang/crates.io-index

• The checksum qualifier should not be necessary for registry dependencies. See also Add checksums as qualifiers to PURLs for those PMs which support them #852 (comment)
• The source qualifier is strange. The purl-spec does not mention it either in the Known qualifiers section or the cargo-specific section. We should avoid making up our own qualifiers and instead use download_url, vcs_url or repository_url as appropriate
• In this case, the repository_url qualifier would be unnecessary anyway, since the package comes from the default registry

To summarize, I think Cargo purls should:

• drop checksum
• replace source with one of repository_url, vcs_url or download_url depending on context
• not use repository_url when not necessary

[chmeliik]

Noticed that yarn-classic purls similarly include more qualifiers than necessary. If you agree with the changes proposed in this issue, I'll open a new one for yarn-classic

[eskultety]

To summarize, I think Cargo purls should:

* drop `checksum`

Not the greatest compatibility move IMO.

* replace `source` with one of `repository_url`, `vcs_url` or `download_url` depending on context

Definitely.

* not use `repository_url` when not necessary

Definitely.