Composer: add vulnerability mirroring - cleanup

Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com>

src/main/java/org/dependencytrack/tasks/repositories/ComposerAdvisoryMirrorTask.java

@@ -197,6 +197,7 @@ boolean updateDatasource(final JSONObject jsonAdvisories, boolean syncAliases) {
                 List<VulnerableSoftware> vsList = mapVulnerabilityToVulnerableSoftware(qm, advisory);
                 qm.persist(vsList);
                 final Vulnerability finalSynchronizedVulnerability = synchronizedVulnerability;
+                //TODO VS make sure only DRUPAL or COMPOSER is used as attribution source
                 vsList.forEach(vs -> qm.updateAffectedVersionAttribution(finalSynchronizedVulnerability, vs,
                         vulnerabilitySource));
                 vsList = qm.reconcileVulnerableSoftware(synchronizedVulnerability, vsListOld, vsList,