Migrate `vulnfeeds/cmd/ids` to use osv-schema Go bindings for vulnerability

[cuixq]

vulnfeeds/cmd/ids currently depends on osv-scanner for models.vulnerability which has been moved to osv-schema Go bindings.

vulnfeeds/cmd/ids is currently used by pypa/advisory-database and malicious-packages which supports YAML format that is not supported for now.

We should migrate vulnfeeds/cmd/ids to depend on osv-schema Go bindings with the support for YAML format.

[another-rex]

To unblock this let's just pin pypi advisory-database to the current commit on osv.dev. Then we can update our deps and when we get around to fixing the yaml generation we can unpin their workflows. malicious-packages is already pinned.

[cuixq]

I am a bit concerned about having a version with regression on YAML support even it's not used by anyone.

If we don't want this to block updating other Go dependencies, we can add some rule to renovate.json to not update osv-scanner in vulnfeeds which should unblock other dependency updates.