Evaluate and enable cherrypick detection for cve-osv

[oliverchang]

Currently, for our cve-osv source, detect_cherrypicks is off. This means that when we enumerate affected git commits, we are only considering the branches that contain the referenced fix commits.

This occasionally lead to missed matches.

We should evaluate turning on cherrypick detection for cve-osv. This has some implications:

• This will slow down record processing time.
• Cherrypick detection is not perfect, which can lead to false positives if we don't correctly identify all cherrypicked fixes.

Related issues: https://github.com/google/osv.dev/issues/2576#issuecomment-2336875125 https://github.com/google/osv.dev/issues/1910#issuecomment-1885825603

[github-actions[bot]]

:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:

Please review our FAQ entry on how to most efficiently have this addressed.