Context is here: https://github.com/quay/clair/issues/1540

Summary: Alpine published security advisories by Source package, we should match on the record's source package when it is available.

Notes: A migration is needed to trigger a GC delete of the currently alpine vulns.