SEMVER version advisories appearing for ecosystems with non-semver versions

[another-rex]

Describe the bug
https://osv.dev/vulnerability/MAL-2023-8369 is an example of a SEMVER affected version range in PyPI, which is not a SemVer version.

To Reproduce
Try to query the telethon2 package with any version and it will not return that advisory

Expected behaviour
The advisory to be returned

Additional context
For malicious packages specifically, they generally get removed from the repositories, so we can't enumerate versions. We need some sort of wildcard version that matches all versions, for non-semver ecosystems.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

[andrewpollock]

We had shades of this problem recently with the Bitnami ecosystem in bitnami/vulndb#336, because it's also essentially an "aggregator" from multiple ecosystems with disparate versioning schemes. If I recall correctly, they managed to successfully converge on SEMVER for all of their versioning.

Once #2401 is complete, this ecosystem could presumably just express ranges as ECOSYSTEM where necessary/appropriate and they wouldn't need to be coerced to SEMVER at import time?

/cc @calebbrown

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.