vulnfeeds: infer introduced and fixed versions from a GitHub compare URL

[andrewpollock]

Is your feature request related to a problem? Please describe.
There is an opportunity to infer the introduced and fixed versions from a CVE's reference when it contains a URL like https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0

Describe the solution you'd like
Today,

osv.dev/vulnfeeds/cves/versions.go

Lines 808 to 814 in 068dfb2

	func ExtractVersionInfo(cve CVE, validVersions []string) (v VersionInfo, notes []string) {
	for _, reference := range cve.References {
	// (Potentially faulty) Assumption: All viable Git commit reference links are fix commits.
	if commit, err := extractGitCommit(reference.Url, Fixed); err == nil {
	v.AffectedCommits = append(v.AffectedCommits, commit)
	}
	}

prefers to use any commit references as a fixed commit over extracting versions and then attempting to map those to a commit.

Potentially before

osv.dev/vulnfeeds/cves/versions.go

Lines 902 to 909 in 068dfb2

	if !gotVersions {
	var extractNotes []string
	v.AffectedVersions, extractNotes = extractVersionsFromDescription(validVersions, EnglishDescription(cve))
	notes = append(notes, extractNotes...)
	if len(v.AffectedVersions) > 0 {
	log.Printf("[%s] Extracted versions from description = %+v", cve.ID, v.AffectedVersions)
	}
	}

this could look for references like https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2 and use this as an introduced..fixed version range.

Describe alternatives you've considered
I considered last_affected over fixed, but given we already make the other assumption about commit references being fixed, I figured we might as well double down on it here 😃

Additional context
This would help the likes of CVE-2024-21534 convert in an un-analyzed state.