Use purl for carrying around package informations

[pombredanne]

In https://github.com/nexB/vulnerablecode/blob/24e33966bae6124e381556e520e18f1129c352fc/vulnerabilities/package_managers.py#L213 there is a new syntax where we use things such as "org.apache.org:tomcat" to pass Package URL-like data around. We should instead use either a purl string or a PackageURL object

[DennisClark]

The current depth and breadth of this problem is not clear, and could benefit from a volunteer to research it for better details.