Support querying by both repo URL and commit hash

[oliverchang]

We've seen a few edge cases where we have incorrect git commit matching because of forking:

• git subtrees causes commits from sub-repository to be incorrectly included in parent repo commit ranges #3398
• https://osv.dev/vulnerability/CVE-2025-4432 (https://github.com/briansmith/ring is forked from boringssl and retains boringssl history).

If there's an advisory in a forked repository with introduced: 0, fixed: SHA, then it will mark the original history of the forked-from project as vulnerable also, which is likely incorrect.

To fix this, we should support queries of the form:

curl -d '{"commit": "sha", "repo": "https://github.com/foo/bar"}' "https://api.osv.dev/v1/query"

Where we reject records where the repo doesn't match.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.