Classification of package source from hardening manifest

To start tracking the provenance of software installed in containers there are some steps we could perform in the pipeline such as classifying the sources of RPMs, etc. This could start to add some data to ensure the provenance of packages.