Look at package rebuild info on advisories for indirect matches

[wagoodman]

Today we look at source RPMs on RPMs to find additional matches, for example, the RPM for perl-Errno has perl listed as the source RPM... so we will additionally search for perl package vulnerabilities when we run across the perl-Errno package during matching. However, this can be a source of false positives.

That being said some advisories include each package that was potentially affected and rebuilt (this kind of information is missing from the current grype DB, but could be added). We could use this package-rebuild information from advisories to decide weather or not the indirect match should be included at all, leading to potentially fewer FPs here.

This is an incomplete idea though: what is missing is finding an example of an advisory that is missing package build information which would lead to the conclusion that the indirect package match is invalid.

[westonsteimel]

For Oracle at least we are already pulling in all of the packages that were rebuilt for the advisory and that is where the exact-direct-matches are coming from, so for that case at least https://github.com/anchore/grype/issues/1931 would already handle this. I am unsure if we currently pull in all of that information for Amazon advisories so we'll have to investigate that further

[westonsteimel]

It looks like we also already pull in the relevant rebuilds for Amazon advisories