Support vulnerability analysis for multiple components

[richlander]

Summary

Add a vulnerability analysis mode that can process multiple components in one invocation, instead of requiring one package/version query at a time.

Scenarios

• Analyze a .nuspec or .nupkg and report vulnerabilities for the package and its dependency closure.
• Analyze a .deps.json and report vulnerabilities for every package identity/version it references.
• Analyze a directory and report vulnerabilities for components discovered from adjacent .deps.json, .nuspec, .nupkg, or other package identity sources.

Desired behavior

• Accept one or more file/directory inputs.
• Preserve exact package identity and version where available.
• Distinguish clearly between:
  • no vulnerabilities found,
  • vulnerable package/version,
  • package/version not found on the configured sources,
  • package identity could not be inferred.
• Support existing output formats such as table, TSV, JSON, and JSONL.
• Include advisory fields such as severity, CVE, GHSA, advisory URL, affected package, affected version, and source input path.
• Provide an optional CI-friendly exit code, for example --fail-on-vulnerabilities.

Possible command shapes

dotnet-inspect vulnerabilities path/to/project.deps.json
dotnet-inspect vulnerabilities path/to/package.nuspec
dotnet-inspect vulnerabilities path/to/package.nupkg
dotnet-inspect vulnerabilities path/to/directory --recursive
dotnet-inspect vulnerabilities input1.deps.json input2.nupkg --jsonl

Why this helps

Vulnerability investigations often start from an application or tool payload rather than a single package. A batch mode would make it easier to audit real deployed component sets and would avoid scripting repeated single-package queries around dotnet-inspect.

[richlander]

Relates to:

• Exposing Hypermedia Information Graphs to LLMs dotnet/designs#359
• Hypermedia release notes graph dotnet/designs#358
• https://github.com/dotnet/core/raw/refs/heads/release-index/release-notes/index.json