rewrite mapping nix packages to cpe identifiers

[henrirosten]

NVD plans to retire legacy data feeds on 09/2023: https://nvd.nist.gov/products/cpe

Currently, sbomnix uses NVD "CPE Dictionary" in mapping the nix pakcages to CPE identifiers, see: https://github.com/tiiuae/sbomnix/blob/main/scripts/cpedict/update-cpedict.sh and https://github.com/tiiuae/sbomnix/blob/main/sbomnix/cpe.py.

We need to rethink how to properly do this in sbomnix to make it more accurate and so that it does not rely on the to-be-retired NVD data feed.

All suggestions or ideas how to improve the CPE mapping are welcome.

[henrirosten]

PR #71 partly resolves this issue, removing the dependency to to-be-retired legacy NVD json database.

Second part of this issue, i.e. making the CPE mapping more accurate still needs work, therefore, leaving this issue open but removing the priority label for now.