Unreviewed GHSAs missing from all.zip, and from its likely source API

[wtwhite]

The new tooling in tools uses JSON-formatted GHSA data from https://osv-vulnerabilities.storage.googleapis.com/Maven/all.zip. However, this file appears to be missing unreviewed GHSAs such as https://github.com/advisories/GHSA-g7jw-7782-jjv9 (corresponding to CVE-2016-0779, which vul4j's CVE-2015-8581 ( = VUL4J-37) is marked as a dupe of).

Some googling found me this page describing a matching JSON schema, which says that GHSA data in this format is available from https://api.osv.dev/v1/vulns/<ID> (@alexjordan could you confirm that this schema is the right one and this API is what all.zip is generated from?). But although curl https://api.osv.dev/v1/vulns/GHSA-g74w-93cp-5p3p works as expected and matches the GHSA-g74w-93cp-5p3p inside all.zip (modulo whitespace), curl https://api.osv.dev/v1/vulns/GHSA-g7jw-7782-jjv9 only gives {"code":5,"message":"Bug not found."}.

[alexjordan]

My assumption would be that unreviewed GHSA issues (such as the one corresponding to CVE-2016-0779) are not propagated to OSV; for that reason the vulnerability cannot be queried as is not included in the all.zip export.

Using the all.zip export was simply done for convenience over querying an API. The raw data of GHSA is also available in JSON though and AFAIK shares the same schema, e.g. https://github.com/github/advisory-database/blob/main/advisories/unreviewed/2022/05/GHSA-g7jw-7782-jjv9/GHSA-g7jw-7782-jjv9.json

Without the vulnerable versions in the data this won't be much help, so I think we can either skip unreviewed vulnerabilities or populate them manually as I commented in #17