fix: replace Debian package name with its source name

[hogo6002]

The current v2 container scanning doesn't report any Debian-related vulnerabilities. The reason is that the extractor takes the package name and package version to match against OSV records. But OSV records store records with the source name. Debian packages may have a different source name than their package name (also source version). For example:

The new change will convert the given package information to its corresponding source information for matching, if the source information is specified.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 53.33333% with 7 lines in your changes missing coverage. Please review.

Project coverage is 69.76%. Comparing base (3f1cc5c) to head (e2f40cd).

Files with missing lines	Patch %	Lines
internal/image/scan.go	53.33%	6 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##               v2    #1422   +/-   ##
=======================================
  Coverage   69.76%   69.76%           
=======================================
  Files         186      186           
  Lines       18562    18575   +13     
=======================================
+ Hits        12949    12959   +10     
- Misses       4916     4917    +1     
- Partials      697      699    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[another-rex]

Thanks! Can you make an issue TODO to make debian container scanning tests to catch this in the future?