perf(local): exclude withdrawn advisories as part of checking if packages are affected

[G-Rath]

Currently when doing local matching we remove withdrawn advisories before any further checks by building a dedicated new slice, which results in huge memory usage - see this comment for some profiles, but e.g. scanning our own go.mod takes up 1.5gb of memory.

I originally implemented it like this back in osv-detector as I found it interesting to include withdrawn advisories to review data quality and have their count in the output, but it's not worth this. I have actually since ended up optimizing this out of the detector anyway via G-Rath/osv-detector#216 which switched to using a map for vulnerabilities meaning I calculated the count differently, but for now this just brings over the change for fixing the memory issue.

Resolves #2217

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.55%. Comparing base (9e03ab8) to head (496f458).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2219      +/-   ##
==========================================
- Coverage   67.63%   67.55%   -0.08%     
==========================================
  Files         170      170              
  Lines       16337    16338       +1     
==========================================
- Hits        11049    11037      -12     
- Misses       4609     4621      +12     
- Partials      679      680       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.