feat: use cmp_version improved version comparisons

[terriko]

We had been using packaging's version compare in cve-bin-tool, but it's not designed to handle versions that don't adhere to PEP440, and plenty of packages don't adhere strictly to those rules. We had some workarounds for things like openssl but we're switching to cmp_version to have a more robust version comparison system.

Replaces #2679

[terriko]

Note to self: it's not finding the 66 issues curl 7.34.0 that I'd expect to find, so there may be some logic issue with the new code. (e.g. 66 is what shows on https://www.cvedetails.com/version/517901/Haxx-Curl-7.34.0.html )

[novafacing]

Not sure if it's the cause of your issue, but there's at least one decision in cmp_version that seems quite dubious:

https://github.com/kata198/cmp_version/blob/bc295e175040684308bcc24c56ee8761825adeed/cmp_version/__init__.py#L193

I don't think 1.1a should generally be considered a higher version than 1.19, no? This would specifically break OpenSSL if they ever released a 1.1.2 because 1.1.1w would be treated as greater.

[terriko]

Darn, that's definitely not going to work. I guess I'm writing my own version compare functions, then.

[terriko]

Closing in favour of our new hope, #3470