Allow multiple sources for vulnerabilities

Vulnerabilities can be reported in many different ways. With first-class vulnerabilities, we can feed the list and then consider them in the same way, regardless of the source.

We can still keep references to the source, but this will be an secondary effect.

This meta issue is to collect all the possible sources.