To be able to more easily get a grasp over which of your dependencies
have CVEs associated with them, we can add a new `generate cve`
subcommand.

We can use the excellent service https://osv.dev to do the underlying
checks, and record CVE numbers, whether official CVE- or issued through
other ecosystems like GO- or GHSA-.

This requires a small translation layer for our dependencies, and a
hand-rolled API client due to the OpenAPI 2.0 (Swagger) document not
working with `oapi-codegen`, as well as the JSON Schema not working with
`jsonschemagen`.

Right now, we only support the Renovate datasource, and don't provide a
`report` subcommand, but the CVEs can be highlighted with:

  SELECT organisation, repo, package_name, cve_id FROM renovate NATURAL JOIN osvdev_cves;

Closes #56.