Add rexical to CVE-2019-5477

The CVE was originally focused on Nokogiri itself and it's use of the
generated code. But MITRE CNA confirmed that the scope can cover the
rexical change itself as vulnerability.

Thus track the issue for src:rexical itself.

Thanks: Mike Gabriel for the additional input to make this change.