feat(govulncheck): add Govulncheck Scanner V2 parser

[valentijnscholten]

Summary

Adds a second scan type, Govulncheck Scanner V2, for the govulncheck streaming JSON format (govulncheck -format json ./...), addressing the inconsistencies reported in #15033. The original Govulncheck Scanner parser is left unchanged so existing imports keep working.

• The original parser iterates the osv advisory definitions in the stream and creates one finding per definition. On the sample from Govulncheck JSON and SARIF Parsers Produce Inconsistent and Incorrect Results #15033 this produced 234 findings — most of them advisories that are present in the vulnerability database stream but do not actually apply to the scanned code.
• The V2 parser iterates the finding records instead, so only vulnerabilities that actually apply to the code are imported. On the same sample it produces 72 findings.
• The Go vulnerability database does not publish CVSS scores, so V2 derives severity from govulncheck's reachability level (kept separate per tier):
  • symbol (vulnerable symbol is called) → High
  • package (vulnerable package imported) → Low
  • module (vulnerable module required) → Info
  • On the sample: 29 High / 17 Low / 26 Info. Importing with Minimum Severity = High yields the 29 reachable vulnerabilities, matching the default govulncheck ./... output.
• Emits one finding per (advisory, module) pair so multi-module advisories map to the correct vulnerable component (component_name / component_version populated from the trace). unique_id_from_tool is "{osv}:{module}".
• Adds dedup configuration for the new scan type, parser documentation, a unit test, and a sample scan file from the issue.