Pure parser: osv-scanner JSON → [Finding.t()].

The osv-scanner output schema (as of 2.x):

{
  "results": [
    {
      "source": {"path": "...", "type": "lockfile"},
      "packages": [
        {
          "package": {"name": "...", "version": "...", "ecosystem": "..."},
          "groups": [{"ids": [...], "max_severity": "8.2"}],
          "vulnerabilities": [
            {
              "id": "GHSA-XXX",
              "summary": "...",
              "details": "...",
              "aliases": ["CVE-...", "GHSA-..."],
              "affected": [{"ranges": [{"events": [{"fixed": "1.11.0"}]}]}],
              "references": [{"url": "..."}]
            }
          ]
        }
      ]
    }
  ]
}

Severity comes from the package's groups[].max_severity field, which is a CVSS 3.x base score as a string. We normalize using the standard CVSS severity bands (NVD qualitative ratings).