vulnfeeds: infer introduced and fixed versions from GitHub compare URLs

[Vedthakar]

Overview

Add support for inferring introduced and fixed versions from GitHub compare URLs in CVE references, such as:

https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0

Fixes #2924

What changed

• Added handling for GitHub compare references in vulnfeeds version extraction
• Parsed compare URLs to infer a version range in introduced -> fixed form
• Used these inferred versions as structured version information instead of relying only on commit references or free-form description parsing
• Added tests covering compare URL extraction behavior

Why

Some CVEs include GitHub compare links that already encode useful version boundary information, but today that data is not used directly during conversion. As a result, affected ranges can remain incomplete or unanalyzed even when the reference contains enough information to infer them.

This change improves conversion quality by extracting the lower and upper version bounds directly from compare URLs when present.

Example

A reference like:

https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2

can now be interpreted as:

• introduced: v0.26.1
• fixed: v0.26.2

Testing

• Added/updated unit tests for GitHub compare URL parsing
• Verified existing version extraction behavior still passes