docs(advisor): Clarify an OSV API peculiarity

While it is recommended to specify the PURL [1], it must not be
specified together with the ecosystem [2]. As the ecosystem is the
OSV-native way to identify packages, and OSV seems to have some data
problems with PURLs [3], add a reminder not to use PURLs in queries.

[1]: https://ossf.github.io/osv-schema/#affectedpackage-field
[2]: google/osv.dev#1443
[3]: google/osv.dev#1234

Signed-off-by: Sebastian Schuberth <[email protected]>

Author: sschuberth

advisor/src/main/kotlin/advisors/Osv.kt

@@ -154,6 +154,7 @@ private fun createRequest(pkg: Package): VulnerabilitiesForPackageRequest? {
 
     if (name.isNotBlank() && pkg.id.version.isNotBlank() && !ecosystem.isNullOrBlank()) {
         return VulnerabilitiesForPackageRequest(
+            // Do not specify the purl here as it is mutually exclusive with the ecosystem.
             pkg = org.ossreviewtoolkit.clients.osv.Package(
                 name = name,
                 ecosystem = ecosystem