Convert CSAF to OSV with examples

[jasinner]

Parse Red Hat CSAF documents which are specific to a product and convert them to OSV format.

This will be used to convert Red Hat CSAF documents to OSV data hosted in a new location on Red Hat infrastructure.

This consolidates multiple vulnerabilities in an advisory to one OSV record for a Red Hat RPM based product. A severity for the OSV record is calculated by finding the highest CVSSv3 score of the fixed vulnerabilities. We only support RPM based products at this time because we expect a scanning tool using this data to utilize RPM schemantics to compare versions installed on Red Hat systems or containers with the fixed versions used in the OSV record.

It also consolidates references in the CSAF documents References section with references in the CSAF Vulnerabilities section to create a combined and deduplicated OSV record set of references.

[andrewpollock]

I started reviewing, then noticed you were pushing more commits, so thought I'd pause in case this is in flux. If that's the case, feel free to switch this to Draft until you're ready for me to review it completely, or I can do a review in pieces.

[jasinner]

Once this is ready I can do a PR to ossf/osv-schema tools

[andrewpollock]

This is looking pretty good!

[andrewpollock]

LGTM, with one thing about the ID prefix. Beautiful code, thanks for bearing with me on the review. I think this should be pretty readable and maintainable going forward and could potentially be contributed to the OSV-Schema repo.

[andrewpollock]

LGTM. Are you happy for me to merge this?

[jasinner]

LGTM. Are you happy for me to merge this?

Yes, let's merge it