fix(vulnerabilities): describe last_affected version as ecosystem-specific version constraint

[Churro]

Changes

Ensures that Maven version ranges are used in allowedVersions constraints when OSV vulnerabilities specify an ecosystem-specific last_affected version. This prevents an Aggregate error exception that was thrown when advisories specify non-semver compatible versions, such as 1.2.1.2-jre17 (see discussion).

Of the OSV-supported ecosystems, this change is only required for maven and nuget. Support for nuget is missing for now as it depends on support for nuget version ranges being available.

Context

• Maven OSV entry with `last_affected` and non-standard `semver` version causes scan abort #27221
• feat(nuget): Support version ranges #26150

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

Test repo: renovate-demo/renovate-osv-ecosystem-lastaffected#1

[viceice]

we need to improve later to use the lowest fixed version somehow

[renovate-release]

🎉 This PR is included in version 37.192.4 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.192.4

Your semantic-release bot 📦🚀