Add osv.dev as package source

[aviveldan]

osv.dev includes both vulnerable and malicious/compromised packages.
Seems like it could be the main source, instead of hard coding the packages in this repo.

[adel-pplx]

Agreed with the direction.
We should not fetch from osv.dev during scans, but OSV/OpenSSF makes sense as an upstream source for generating Bumblebee exposure catalogs. I’d like to track this as an offline OSV-to-Bumblebee catalog import/generation feature.