What is the underlying problem you're trying to solve?

Given a list of disallowed components, and an SBOM as input, I would like to write a rego policy that:

1. Verifies the entries in the SBOM, and in the list of disallowed components, define valid PURL values.
2. Parses a PURL value into an object that represents the various components of the PURL spec, e.g. name, version.
3. Detects when the SBOM uses one of the items from the list of disallowed components.

Describe the ideal solution

Introduce two new built-in rego functions:

• purl.is_valid(purl): Determine whether or not a given PURL is valid. purl parameter is of type string. Return is a boolen.
• purl.parse(purl): Parse a valid PURL into an object. purl parameter is of type string. Return is an object representation of the given purl.

The functionality above can be achieved by using https://github.com/package-url/packageurl-go.

Additional Context

I'm one of the maintainers of the Enterprise Contract project, which heavily relies on rego to perform validation of certain software artifacts, mainly container images. We have introduced the two suggested functions above in our implementation via custom rego functions. I would really rather have this as part of rego itself as it is likely to benefit others in the opa ecosystem.