Infer Package URL from references and other references issues for "commitish" URLs

[pombredanne]

In some case it may be possible to infer new package URLs from collected references. In this
CVE-2014-1904.pdf

we have these:

• spring-projects/spring-framework@741b4b2
• spring-projects/spring-framework@75e0869
• https://github.com/spring-projects/spring-framework.git/741b4b229ae032bd17175b46f98673ce0bd2d485
• https://github.com/spring-projects/spring-framework.git/75e08695a04980dbceae6789364717e9d8764d58

1. these are duplicates (even though they look different) and the two later ones are obsolete/dead
2. they represent a Package URL:
   spring-projects/spring-framework@741b4b2 means pkg:github/spring-projects/spring-framework@741b4b229ae032bd17175b46f98673ce0bd2d485

We may be able to get the Package URL (both the python packageurl and @TG1999 FetchCode may help for this inference.
And this is also a clear source commit information (though I am not sure if these are the commit that fixed of introduced the vuln... and as explained in #326 the data provenance is hard to trace.

I cannot easily debug this issues because of the lack of logging and history trail. I would need to be able to trace for each record the original data source and data it came fro. That does not need to be easy, but would need to be possible. Today it is neither easy nor possible AFAIK.

[sbs2001]

@pombredanne this makes sense, but I'm not sure how to infer relationship between the inferred commitish package and the vulnerability. For eg, there could be multiple commits which fix the vulnerability incrementally, so we can't be sure whether a particlular commit fully fixed a vulnerability .

[DennisClark]

more about improving rather than strictly "data quality".