fix: Associate NVD CPE ranges with repositories using VPRepoCache and isolate resolution

[jess-lowe]

Refactors the NVD CPE version range extraction and resolution logic to map version ranges to their corresponding repository URLs using VPRepoCache. This strictly isolates resolution, prevents cross-contamination (resolving Product A's CPE versions on Product B's repository), and produces a consolidated unresolved database_specific output.

• Repository-Specific Range Extraction: Modified ExtractVersionsFromCPEs in versions.go to accept VPRepoCache and look up repositories associated with the CPE vendor:product. If found, explicit GIT ranges with Repo set are generated; otherwise, it falls back to a generic range.
• Repository Claiming/Locking: Updated GitVersionsToCommits in common.go to enforce strict repo isolation:
  • Ranges pre-assigned to a repository are resolved strictly on that repository.
  • Generic ranges are blocked from resolving against repositories that have been explicitly claimed by another range in the CVE.
• Unresolved Metrics Consolidation: Refactored CreateUnresolvedRanges to parse and group unresolved entries by vendor_product rather than full CPE strings. The contributing original versioned CPE criteria strings are kept in a sorted "cpes" list field inside the grouped entry. This is to deduplicate/better group information in database_specific.
• Unresolved Metrics Deduplication: Implemented FilterUnresolvedRanges to deduplicate entries. If a CPE's version boundaries successfully resolve to a commit on at least one repository, duplicate unresolved range copies on secondary repositories are automatically filtered out.