Add otp Type

[maennchen]

Motivation

BEAM projects regularly depend on OTP applications that are themselves
missing from any package manager:

• The Erlang/OTP runtime shipped by a Linux distro is often outdated.
  Teams pin a newer runtime built with kerl or asdf, or bundle it in
  their release artefact.
• Core language tooling (e.g. Elixir, Rebar3, Hex) is an OTP
  application too, yet it is rarely delivered by system package managers.
• Because these components do not come from Hex, their SBOM entry cannot
  be a hex purl; nor can it be a distro purl such as deb, rpm, alpm.

Today we have to fall back to a generic or VCS purl, which loses precision
(versioned app vs. tag/commit, selective patching, etc.).
The otp purl type fills this gap.

Decision flow

When a tool can emit only one purl per package (e.g. GitHub Dependency
Graph), follow this flowchart:

flowchart TD
    PM{"From Package Manager?
    rebar3 / mix"}
    OSPM{"From OS Package Manager?"}
    SCM{"Source (SCM)?"}
    GH["pkg:github/{owner}/{repo}"]
    BB["pkg:bitbucket/{owner}/{repo}"]
    Specific["pkg:{type}..."]
    PossiblyOtp{"OTP App?"}
    OTP["pkg:otp/{name}@{version}?vcs_url=git+https://{git}"]
    Generic["pkg:generic/...?vcs_url=git+https://{git}"]
    Hex["pkg:hex/{name}@{version}"]
    Git["Git"]
    OS["pkg:{alpm|deb|rpm}/..."]

    PM -- Yes --> SCM
    PM -- No --> OSPM
    OSPM -- No --> OTP
    OSPM -- Yes --> OS
    SCM -- Hex.SCM --> Hex
    SCM -- Mix.SCM.Git --> Git
    Git -- GitHub --> GH
    Git -- Bitbucket --> BB
    Git -- Other Specific --> Specific
    Git -- None --> PossiblyOtp
    SCM -- Mix.SCM.Path --> PossiblyOtp
    PossiblyOtp -- No --> Generic
    PossiblyOtp -- Yes --> OTP

Loading

When multiple purls can be recorded (e.g. SPDX, CycloneDX) you may attach
both the otp purl and an additional purl (Git, GitHub, checksum, …) for
maximum traceability.

Summary of the new type

Field	Rule
type	otp
namespace	unused – must be empty
name	OTP application name (from .app), lower‑cased
version	Application version (vsn)
qualifiers	platform, arch, plus generic qualifiers (repository_url, …)
subpath	May reference a file/dir inside the application

Prefer hex when you can
If the package truly originates from a Hex repo, emit a hex purl instead of
otp. Hex’s global namespace all but eliminates name collisions.

Concrete examples

pkg:otp/[email protected]?platform=linux&arch=amd64&\
repository_url=https://github.com/erlang/otp&\
vcs_url=git%20https://github.com/erlang/otp.git

pkg:otp/[email protected]?repository_url=https://github.com/erlang/otp&\
vcs_url=git%20https://github.com/erlang/otp.git

pkg:otp/[email protected]?platform=darwin&arch=x86_64&\
repository_url=https://github.com/erlang/otp&\
vcs_url=git%20https://github.com/erlang/otp.git

pkg:otp/[email protected]?repository_url=https://github.com/elixir-lang/elixir&\
vcs_url=git%20https://github.com/elixir-lang/elixir.git

pkg:otp/[email protected]?repository_url=https://github.com/erlang/rebar3&\
vcs_url=git%20https://github.com/erlang/rebar3.git

pkg:otp/[email protected]?repository_url=https://github.com/hexpm/hex&\
vcs_url=git%20https://github.com/hexpm/hex.git

[maennchen]

Real PR: package-url#472