Get rid of bazillions of resolved/patched packages

[sbs2001]

Security advisories usually provide a version range of packages which are vulnerable to some vulnerability. Currently we iterate over every available version of a package and check if it satisfies any of the given version range. If it satisfies this range then we treat this package version as vulnerable.

The versions which don't satisfy any range are treated as patched/resolved packages. This is wrong on many levels.
eg. consider today I found CVE-2021-xxx affecting package foo v2020 via the version range <=2020 . 10 years later I will be stating that foo v2030 is patched to CVE-2021-xxx . At that point this info is kind of garbage and redundant.

Instead for {package, vulnerability} pair there should be only one resolving/patched package, which completely fixes this vulnerability.

resolved_package should be turned into a resolving_package. This resolving_package should be related to {package, vulnerability} pair(s).

One rough design for new PackageRelatedVulnerability
https://github.com/nexB/vulnerablecode/blob/d8ce30e29c0d3257a1d00d89feb0afa753ba3f69/vulnerabilities/models.py#L176

could be

class PackageRelatedVulnerability(models.Model):

    package = models.ForeignKey(Package, on_delete=models.CASCADE)
    vulnerability = models.ForeignKey(Vulnerability, on_delete=models.CASCADE)
    resolving_package = models.ForeignKey(Package, on_delete=models.CASCADE)
    

    def __str__(self):
        return f"{self.package.package_url} {self.vulnerability.vulnerability_id}"

    class Meta:
        unique_together = ("package", "vulnerability")
        verbose_name_plural = "PackageRelatedVulnerabilities"

This also makes #207 (comment) more approachable