feat(nvd): improve ranges to include metadata in db_specific of CPE used to extract it (#5103)

This PR introduces various updates for handling NVD and CVE databases,
specifically related to the location of range metadata in
database_specific, and parsing and cache improvements.

**Range & Affected Parsing (NVD & CVE5)**:

- Fix logic for nested unresolved ranges and duplicate unresolved
ranges.
- Handle edge cases where `introduced` version equals `lessThanOrEqual`
(meaning it’s a specific version, not a range).
 - Address how unresolved signatures are handled during processing.
- Extracted and moved `MergeRangesAndCreateAffected` logic to a common
package for reuse.
- Introduced a new `RangeWithMetadata` struct to hold unresolved ranges
and where they were extracted from, so they can be put in the
database_specific.
- Created a new function for explicitly building Git osvschema ranges,
so they always have the type value attached.
- unresolved ranges are grouped by CPE for easier understanding and use.

**CVE5 Interoperability**:
- Changed CVE5 logic to also use `RangeWithMetadata` to be consistent
across records.

**References & Links**:
- Implemented caching for canonicalizing links to improve processing
performance and avoid 429s.

Author: jess-lowe

vulnfeeds/cmd/combine-to-osv/main.go

@@ -320,9 +320,7 @@ func pickAffectedInformation(cve5Affected []*osvschema.Affected, nvdAffected []*
 				}
 
 				if c5Intro != "" || c5Fixed != "" {
-					newRange := conversion.BuildVersionRange(c5Intro, "", c5Fixed)
-					newRange.Repo = repo
-					newRange.Type = osvschema.Range_GIT // Preserve the repo
+					newRange := conversion.BuildGitVersionRange(c5Intro, "", c5Fixed, repo)
 					newAffectedRanges = append(newAffectedRanges, newRange)
 				} else {
 					newAffectedRanges = cveRanges

vulnfeeds/cmd/converters/cve/nvd-cve-osv/main.go

@@ -32,21 +32,6 @@ var (
 	cpuProfile          = flag.String("cpuprofile", "", "Path to write cpu profile to file (default = no output)")
 )
 
-func loadCPEDictionary(productToRepo *c.VPRepoCache, f string) error {
-	data, err := os.ReadFile(f)
-	if err != nil {
-		return err
-	}
-
-	var tempMap c.VendorProductToRepoMap
-	if err := json.Unmarshal(data, &tempMap); err != nil {
-		return err
-	}
-	productToRepo.Initialize(tempMap)
-
-	return nil
-}
-
 func main() {
 	flag.Parse()
 	if !slices.Contains([]string{"OSV", "PackageInfo"}, *outFormat) {
@@ -82,7 +67,7 @@ func main() {
 
 	vpRepoCache := c.NewVPRepoCache()
 	if *parsedCPEDictionary != "" {
-		err = loadCPEDictionary(vpRepoCache, *parsedCPEDictionary)
+		err = c.LoadCPEDictionary(vpRepoCache, *parsedCPEDictionary)
 		if err != nil {
 			logger.Fatal("Failed to load parsed CPE dictionary", slog.Any("err", err))
 		}