fix(linux): add logic to parse the upstream package name

[FernandoRojo]

Why? Many Linux distributions (debian/alpine/mariner) publish CVE data against source package names only, so this is required for users to CVE check against the output of component-detection.

Note: Syft doesn't always provide the source package name (it doesn't appear to provide this for ubuntu packages when the source and binary package names are the same).

The package name does not always line up 100% with the upstream or source name. For example some Linux distributions suffix the major version to differentiate i.e. python2 and python3. These should both be mapped back to python.

Initial code updates were introduced in these PRs: https://github.com/microsoft/component-detection/pull/88 https://github.com/microsoft/component-detection/pull/126

But they need to be revisited after becoming stale and having a large number of conflicts.

We will reintroduce a PR to resolve this issue once there is enough priority.