better support for non-default/local/internal package sources

[jkowalleck]

packages may come from local sources.
packages may come from alternative registries.

acc / crit

• local components are marked with relative: true, path: /path/to/pod
• the PURL should have a qualifier to indicate the non-default package registry
  • spec via a qualifier from https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs
  • caused add support for additional qualifiers  package-url/packageurl-php#54
  • reminder: don't add "default" PURL qualifiers. (if such a thing exists)
• there must be a switch to have "short" PURLs - for reasons like feat: CLI switch to omit PURL qualifiers cyclonedx-node-npm#225
• the demo for "local" is updated

example source data

• in this case, the composer.lock file would look like this

  {
  "packages": [
  {
              "name": "cyclonedx-demo/local-demo-dependency",
              "version": "1.33.7",
              "dist": {
                  "type": "path",
                  "url": "packages/local-demo-dependency",
                  "reference": "some-hash"
              },
              "type": "library",
              "description": "a package that is hosted locally and required in a local demo",
              "transport-options": {
                  "relative": true
              }
          }
  ]
  }

• see the example from [BUG] SBOM generation does not find right purl with wordpress composer installation #324 which installs from an alternative registry.
  Unfortunately, composer does not give any evidence for non-standard package registries, so this is currently not detectable properly. Maybe with a later version of composer -- need to investigate further.