Map OSVDB advisories to CVE records

[StantonMatt]

Closes #487.

This maps the three source-backed OSVDB-only records I could verify to their CVE-backed records:

• handlebars-source/OSVDB-131671.yml -> CVE-2015-8861.yml, using the existing related GHSA alias 9prh-257w-9277 plus NVD/GitHub advisory references.
• mustache-js-rails/OSVDB-131671.yml -> CVE-2015-8862.yml, using the existing related GHSA alias w3w8-37jv-2c58 plus NVD/GitHub advisory references.
• spree/OSVDB-76011.yml is already represented by spree/CVE-2011-10019.yml, so this keeps the CVE file, carries over the OSVDB id and October 2011 metadata, and removes the duplicate OSVDB file.

Validation run:

• bundle _4.0.9_ exec rspec spec/schema_validation_spec.rb
• bundle _4.0.9_ exec rake lint
• yamllint gems rubies
• git diff --check origin/master...HEAD
• fresh review pass: no actionable correctness issues

[simi]

@StantonMatt we should add "absolutely no unsupervised LLMs under any circumstances" into README.md or CONTRIBUTING.md.

[StantonMatt]

Yeah, I'm using Codex. For this PR I still checked the mappings against the existing GHSA/NVD references and the current advisory files before opening it.

A project rule around generated changes needing explicit human verification and cited sources would be reasonable to me; exact wording is up to the maintainers.

[simi]

Yeah, I'm using Codex. For this PR I still checked the mappings against the existing GHSA/NVD references and the current advisory files before opening it.

A project rule around generated changes needing explicit human verification and cited sources would be reasonable to me; exact wording is up to the maintainers.

@StantonMatt can you open separate PR for that? Pick some simple wording sharing the idea of "absolutely no unsupervised LLMs under any circumstances" in this repo.

[StantonMatt]

I'll leave a separate policy PR to the maintainers rather than opening one from this data PR. If they want that change, I can keep the wording narrow around human verification and cited sources.