Feature Request: Clarify unspecified vulnerabilities

[AlexGustafsson]

User stories

• As a user I want to understand the impact of vulnerabilities even if they're "unspecified"

Feature description

Cupdate showing unspecified vulnerability:

Golang showing it as "unreviewed", that it's not verified and that there's no fix.

GitHub showing it as low severity and with a known range.

And then later explaining that there's indeed a known good release.

For vulnerabilities with a known severity, Cupdate should report the severity. IIRC most osv.dev severities are "unspecified". Maybe we could look up references automatically?

Additionally, in cases where the final tag ends up being "unspecified", we should be able to tell the user in the UI that these results may or may not be an issue.

[AlexGustafsson]

The vulnerabilities found by osv-scanner should be able to be correlated to package entries in the SBOM. These packages sometimes have information about where (as in what binary) a vulnerability was found. This can help, for example, to identify that it's the "system being vulnerable", not the application. For example, when osv-scanner contains a vulnerability through containerd, which is unaffected by the use in cupdate.