feat(osv-advisory-source,validate-url): add SSRF defense for --osv-url flag

[luojiyin1987]

Summary

Adds Server-Side Request Forgery (SSRF) protection for the --osv-url flag to prevent abuse when users specify custom OSV endpoints.

Fixes #750

Problem

The --osv-url flag currently accepts any URL that passes new URL() parseability. An attacker who controls this flag could redirect outbound HTTP traffic to internal services, exfiltrating package data from lockfiles.

Solution

Implement multi-layered SSRF defense:

1. HTTPS only - HTTP URLs are rejected
2. Public IPs only - private/reserved IP ranges (RFC 1918, loopback, link-local) are blocked by default
3. Explicit opt-in - --allow-private-osv-url flag to bypass protection for trusted internal mirrors
4. No redirects - redirect: 'error' on all fetch calls to prevent redirect-based attacks

Changes

Core Implementation

• src/utils/validate-url.ts (new) - URL validation with HTTPS check, DNS resolution, private IP detection
• src/types.ts - Added allowPrivateOsvUrl?: boolean to ParsedOptions
• src/cli/args.ts - Parse --allow-private-osv-url flag
• src/cli/validate.ts - Call validateOsvUrl() in validation
• src/index.ts - Updated to async validateOptions() with await
• src/advisory/osv-advisory-source.ts - Added redirect: 'error' to both fetch calls

Tests

• tests/validate-url.test.ts (new) - 22 test cases covering HTTPS validation, DNS resolution, private IP detection
• tests/validate.test.ts - Updated to async pattern
• tests/osv-advisory-source.test.ts - Updated fetch mock expectations

Documentation

• README.md - Added usage examples
• website/docs/cli-reference.md - Added flag documentation with security note
• website/docs/corporate-proxy.md - Added SSRF protection guide for internal mirrors
• website/docs/offline-advisory-db.md - Added flag documentation
• website/docs/security-assurance-case.md - Updated A10 SSRF status

Security Considerations

• Default: Only official OSV (api.osv.dev) allowed without --osv-url
• --osv-url: Requires HTTPS and public IPs only
• --allow-private-osv-url: Explicitly bypasses protection for trusted internal mirrors
• Redirects: All blocked to prevent redirect-based SSRF attacks

Testing

Test Suites: 3 passed, 3 total
Tests:       36 passed, 36 total

Example Usage

# Official OSV (default) - no SSRF risk
cve-lite .

# Custom public endpoint
cve-lite . --osv-url https://security.example.com/osv

# Internal mirror (requires explicit bypass)
cve-lite . --osv-url https://internal-mirror.local/osv --allow-private-osv-url

---

This PR addresses Finding 2 from the security audit report.

[sonukapoor]

Good work on the layered approach — HTTPS-only plus DNS resolution plus explicit bypass is the right model for this. Two bugs in the IP pattern table need fixing before this can merge, plus a few smaller things.

Also: --allow-private-osv-url without --osv-url is silently accepted right now. A quick guard like if (options.allowPrivateOsvUrl && !options.osvUrl) with a clear error message would make the pairing explicit.

In website/docs/security-assurance-case.md, the A10 row opens with "The CLI only makes outbound HTTP requests to fixed, hardcoded endpoints" but then describes user-controlled URL behavior — those two halves contradict each other. The old wording was accurate before --osv-url existed. Worth leading with the user-controlled case and describing the mitigations directly, dropping the "fixed, hardcoded" claim.