Git analysis: relax branch computation

[oliverchang]

Currently, our git commit enumeration relies on the commit hashes listed in the OSV record (as introduced/fixed/last_affected) to exist in git branches in the upstream repository:

• osv.dev/osv/impact.py

  Line 168 in a751ceb

  branches = sorted(repo.branches.remote)

• osv.dev/osv/impact.py

  Line 172 in a751ceb

  current_branches = _branches_with_commit(repo, limit_commit)

  (and similar in the same function).

This assumption doesn't hold in a number of cases. e.g. #2333 and #2375 (comment) to name a few.

We need to relax this requirement to instead:

1. Consider the referenced introduced/fixed/last_affected commit position as its own logical "branch" if it's not part of any upstream branches.
2. Include all tag references that isn't already covered by a branch in the analysis. This is likely less important than 1, which would solve most of the problems we've seen.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.