BUG: OSS-Fuzz detection fails if project.yaml URL points to subfolder

[pnacht]

Describe the bug
If a repo's project.yaml file on the OSS-Fuzz repo points to a sub-folder, Scorecard's Fuzzing detection fails.

Reproduction steps
Steps to reproduce the behavior:

1. Note that google/go-cmp gets a 0/10 for Fuzzing: https://securityscorecards.dev/viewer/?uri=github.com/google%2Fgo-cmp
2. However, the project is fuzzed: https://github.com/google/oss-fuzz/tree/master/projects/go-cmp
3. However, the project.yaml points to the repo's cmp folder: main_repo: "https://github.com/google/go-cmp/cmp".

Expected behavior
Scorecard should parse the project.yaml's URL more cautiously, to ensure it always gets the correct username and repo.

Additional context
After a brief conversation with @spencerschrock, the issue seems to be here:

scorecard/clients/ossfuzz/client.go

Lines 142 to 146 in 271f0f2

	const splitLen = 2
	split := strings.SplitN(strings.Trim(u.Path, "/"), "/", splitLen)
	if len(split) != splitLen {
	return "", fmt.Errorf("%s: %w", rawURL, errMalformedURL)
	}