Add "CVE" ecosystem for osv.dev filtering?

[oliverchang]

Currently, it's difficult to search for converted CVE records (per https://osv.dev/blog/posts/introducing-broad-c-c++-support/) via the osv.dev UI.

Some solutions:

• We add a special "CVE" ecosystem to enable filtering by these.
• We add a "Git" ecosystem to enable filtering by all entries that include Git ranges. This will include more than just CVEs though (e.g. OSS-Fuzz ones).
• We detect and tag C/C++ relevant advisories and create a "C/C++" ecosystem.

Adding an ecosystem has the additional benefit of surfacing an additional ecosystem bubble and filter on the home osv.dev UI.

Alternatively:

• We fix search results to show advisories with IDs matching the given search prefix first.

[another-rex]

We currently have all the ecosystems roughly mutually exclusive, now the GIT count overlaps with everything else which sort of doubles the advisories in the count on the home page.

[another-rex]

An alternative could be to only apply the GIT filter for ecosystems that don't have other ecosystems already present. It is a bit weird to filter by GIT, then see PYSEC advisories.

[andrewpollock]

It also makes the all.zip in https://storage.googleapis.com/osv-vulnerabilities/index.html?prefix=GIT/ less than ideal.

[another-rex]

For future reference, the git meta-ecosystem has now been updated to only be attached to entries without any other ecosystem

[oliverchang]

Let's call this done!