Add development dependency information to the VulnerabilityResults structure

[another-rex]

Move the logic of determining whether a DepGroup is a dev dependency to be done during the building of VulnerabilityResult that way consumers of the JSON output have access to this.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

[another-rex]

This might now be redundant as we are moving to annotations

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.