feat: support ubutnu severity type

[hogo6002]

Resolves #1964

Note: some Ubuntu records have moved their priority tags from ecosystem-specific to severity fields, but osv.dev has failed to provide a correct severity type. For now, we check both empty severity tags and Ubuntu severity tags to see if a vulnerability has been marked as ineligible

[hogo6002]

this looks like is caused by upstream ordering? Do we put the one with the most amount of upstream at the top or the one with the least upstream at the top? UBUNTU-CVE-2022-3219 recently added an upstream field. But i think we wanted to put USN at the top, right? @jess-lowe

[codecov-commenter]

Codecov Report

❌ Patch coverage is 81.81818% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.06%. Comparing base (3eceb8a) to head (ba74167).
⚠️ Report is 464 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/utility/severity/severity.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2076   +/-   ##
=======================================
  Coverage   66.05%   66.06%           
=======================================
  Files         172      172           
  Lines       16192    16200    +8     
=======================================
+ Hits        10696    10702    +6     
- Misses       4846     4848    +2     
  Partials      650      650           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[another-rex]

LGTM! Let's just try removing the extra ignore I added last week.