fix: CPE detection for APK libavif to use aomedia vendor

[naag]

Description

TLDR: This change adds libavif to the APK package CPE candidate additions with aomedia as an additional vendor, enabling Syft/Grype to match CVEs like CVE-2025-48174 and CVE-2025-48175 using CPEs.

NVD uses aomedia as the vendor for libavif CVEs, see for example https://nvd.nist.gov/vuln/detail/CVE-2025-48174:

cpe:2.3:a:aomedia:libavif:*:*:*:*:*:*:*:*

The CPE currently computed by Syft/Grype uses the vendor libavif, which causes a CPE mismatch:

[0003] TRACE searching for vulnerability matches package=pkg:apk/alpine/libavif@1.0.4-r0?arch=x86_64&distro=alpine-3.21.5
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=176.125µs pkg=package(name=libavif) records=0 vulns=any
[0003] TRACE fetched package record distro=none duration=87.875µs pkg=package(cpe=cpe:2.3:a:libavif:libavif:1.0.4:*:*:*:*:*:*:*) records=0 vulns=any
[0003] TRACE fetched CPE record cpe=cpe:2.3:a:libavif:libavif:1.0.4:*:*:*:*:*:*:* duration=45.417µs records=0
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=263.042µs pkg=package(name=libavif) records=0 vulns=any
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=244µs pkg=package(name=libavif) records=0 vulns=any
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=178.292µs pkg=package(name=libavif) records=0 vulns=any
[0003] TRACE fetched package record distro=none duration=106.25µs pkg=package(cpe=cpe:2.3:a:libavif:libavif:1.0.4:*:*:*:*:*:*:*) records=0 vulns=any
[0003] TRACE fetched CPE record cpe=cpe:2.3:a:libavif:libavif:1.0.4:*:*:*:*:*:*:* duration=51.458µs records=0
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=174.167µs pkg=package(name=libavif) records=0 vulns=any
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=133.375µs pkg=package(name=libavif) records=0 vulns=any
[0003] TRACE fetched package record distro=alpine@3.21.5 duration=133.166µs pkg=package(name=libavif) records=0 vulns=any

With this PR merged, the generated CPE for libavif will match what NVD is using, which fixes false negatives in Grype.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
• Documentation (updates the documentation)
• Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
• Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

Issue references

[westonsteimel]

@naag , thanks very much for helping make the CPEs more accurate. As noted in anchore/grype#210 (comment) we are working towards an eventual solution where we will know about all of the CPE to distro package mappings that exist in release-monitoring.org (as well as some other datasets), and it appears that they do have this mapping https://release-monitoring.org/project/178015/. Thanks again for the improvement!

[peterbuecker-form3]

Thanks a lot @westonsteimel for your swift response and the additional explanations, very much appreciate the outlook :)