feat: implement OSV vulnerability investigation with async support

[PrasanthYT]

Overview

This PR introduces OSV database integration into Scanr, enabling real-time vulnerability investigation for detected dependencies.

Dependencies are now matched against the OSV database using async parallel requests, with accurate semantic version matching.

Scope

OSV API Integration

• Integrated OSV API using reqwest

• Structured response parsing

• Extracted:

  • CVE ID
  • Severity
  • Description
  • References

Async Parallel Execution

• Integrated tokio runtime
• Implemented parallel OSV queries per dependency
• Optimized for non-blocking CLI execution

Version Matching

• Implemented version range comparison using semver
• Accurate detection of affected versions
• Prevents false positives from mismatched ranges

Core Data Model

struct Vulnerability {
    cve_id: String,
    severity: Severity,
    affected_version: String,
    description: String,
}

This model enables:

• Future SBOM enrichment
• Severity filtering
• Risk scoring
• Structured output formatting

CLI Integration

scanr scan . now:

• Extracts dependencies
• Queries OSV in parallel
• Prints matched vulnerabilities
• Handles clean "no vulnerabilities found" output

Validation

• Version matching verified against sample vulnerable packages
• No-vulnerability case handled cleanly
• cargo build --workspace --release passes
• CLI executes without panic
• Async execution verified

Impact

• Introduces real vulnerability intelligence

• Establishes security relevance of Scanr

• Enables future:

  • Severity filtering
  • JSON output
  • Risk scoring
  • CI integration mode

No breaking changes.

🎯 Why This Milestone Is Critical

This milestone transforms Scanr from a dependency viewer into a security analysis tool.

It directly addresses:

• Supply chain visibility
• Known vulnerability detection
• Real-world security impact