When importing SBOMs, we consume the Package URL (pURL) and take the
parts of it that we want to keep, but then throw away the rest.

Instead of doing this, we should make it available in the database,
where it can then be retrieved and further processed.

This allows us to take more complex pURLs like:

    pkg:rpm/redhat/xz-libs@5.2.4-4.el8_6?arch=x86_64&distro=redhat-8.6

    pkg:deb/debian/login@1:4.8.1-1?arch=arm64

And then we're able to perform more complex processing on them.

This is a breaking change due to the definition in
https://dmd.tanna.dev/concepts/compatible-since/:

> Introducing a required column, which doesn't have a default

In which we've added the `package_url` field, so need to appropriately
note that this is a breaking change.

This also requires refactoring the parameter to
`newSBOMDependenciesQuery` as it's no longer getting a full SBOM row, as
we don't query the `package_url`.

Closes #528.