feat: enable nuget in osv worker [CM-1276]

[mbani01]

This pull request adds support for the NuGet ecosystem to the OSV advisories sync process. The main changes include updating environment variables, validation lists, and version comparison logic to recognize and handle NuGet advisories alongside existing ecosystems.

NuGet ecosystem support:

• Added NuGet to the OSV_ECOSYSTEMS environment variable in backend/.env.dist.local, enabling the sync process to include NuGet advisories.
• Updated the VALID_ECOSYSTEMS array in osv/schedule.ts to include NuGet, ensuring that validation and scheduling logic recognize it as a supported ecosystem.

Version comparison improvements:

• Introduced a SEMVER_ECOSYSTEMS set in osv/versionCompare.ts and updated the compareVersion function to treat nuget as a semver-based ecosystem, ensuring correct version comparison logic for NuGet advisories.

---

Note

Medium Risk
Extends vulnerability range matching for a new ecosystem; incorrect semver handling could mis-flag has_critical_vulnerability, but the change follows the existing npm/cargo pattern with tests.

Overview
NuGet is now included in the scheduled OSV bulk advisory sync alongside npm, Maven, and cargo.

Local env template OSV_ECOSYSTEMS and the worker allowlist in schedule.ts gain NuGet (OSV’s case-sensitive bucket path). compareVersion routes lowercase nuget through the same semver path as npm/cargo so introduced/fixed ranges can drive critical-vulnerability derivation. Tests cover semver ordering (including a Newtonsoft.Json CVE boundary) and reject titlecase NuGet at the comparator, matching DB normalization.

^{Reviewed by Cursor Bugbot for commit 4dcc816. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

Adds NuGet to the OSV advisories sync pipeline in packages_worker, ensuring the Temporal schedule accepts the OSV bucket’s canonical ecosystem casing and that downstream version comparisons treat NuGet as semver-based.

Changes:

• Added NuGet to the OSV schedule allowlist (VALID_ECOSYSTEMS) so OSV_ECOSYSTEMS validation accepts it.
• Updated local env defaults to include NuGet in OSV_ECOSYSTEMS.
• Refactored semver ecosystem detection into a shared SEMVER_ECOSYSTEMS set and included nuget for semver comparison.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
backend/.env.dist.local	Adds NuGet to the local default OSV_ECOSYSTEMS list.
services/apps/packages_worker/src/osv/schedule.ts	Extends the schedule allowlist to accept NuGet (case-sensitive OSV bucket path segment).
services/apps/packages_worker/src/osv/versionCompare.ts	Routes nuget through the semver comparator via SEMVER_ECOSYSTEMS.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.