feat: report CVEs against unknown versions

[terriko]

• related: feat: improved support for unknown version matches #3394

I just closed @sw-sdiepold 's PR #3394 because that particular code has gotten stale and I think we need to rework it so it's not the default behaviour, but I'm filing an issue for a feature request to revisit it so I don't forget that this had a good proposal at its core.

Sometimes, in SBOMs or elsewhere, we have components that end up with unknown version numbers. Currently, we report no CVEs associated with those.

It may be desirable to do the opposite: as in, report all CVEs for the component of that name so that people can do appropriate checks. I'm worried that depending on the component, this could be an unmanageable number of CVEs and would obfuscate more relevant results, so I don't think I want this as our default mode, but I can see how it could potentially be useful.

I'd like to suggest that we make this an optional thing that can be enabled in config file or command line flag. Not sure what that flag would be... --report-cves-against-unknown-versions is a bit of a mouthful but at least it would be clear what the expected behaviour would be.

This probably would be doable by a fairly new contributor since @sw-sdiepold has already done the initial coding work for you, but please note that I would expect both documentation and tests as part of a new PR so please don't forget those!

[joydeep049]

How about report-unknown-versions? Sounds concise and self-explanable.