Store and/or trace data provenance

We should keep track of:

- where we obtained advisory data from in an Advisory record
- which Advisory were merged and contributed to a set of records
- which other processes and data sources where used to improve records


See also https://github.com/nexB/vulnerablecode/issues/590