fix(osvmatcher): dedupe bulk queries (#2808)

## Overview

This fixes duplicate package queries being sent in the same OSV bulk
request.

Fixes #2654

## Details

When the scan input contains the same package more than once,
`OSVMatcher` currently sends that same package/version query multiple
times to OSV. That does not change the final result, but it does add
unnecessary API work and makes larger scans do more work than needed.

This PR deduplicates equivalent OSV queries before calling
`BatchQueryPaging`, then expands the hydrated results back to the
original package order. That keeps the scanner output behavior the same
while reducing duplicate requests.

I also updated the cached matcher query collection to use the same query
key, so it does not rely on pointer identity when collecting missing
package queries.

## Testing

- Added a regression test that passes duplicate package inputs and
verifies only unique queries are sent while all original result slots
are preserved.
- Ran `go test ./internal/clients/clientimpl/osvmatcher`.
- Ran `go test ./internal/clients/clientimpl/...`.

## Checklist

- [x] I have signed the [Contributor License
Agreement](https://cla.developers.google.com/).
- [x] I have run the linter using `./scripts/run_lints.sh`.
- [x] I have run the unit tests using `go test
./internal/clients/clientimpl/...`.
- [x] I have made my commits and PR title follow the [Conventional
Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification.

---------

Co-authored-by: Rohan Patnaik <rohan-patnaik@users.noreply.github.com>
Co-authored-by: Rex P <rexpan@google.com>

Author: rohan-patnaik

cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_Docker.yaml

@@ -5,7 +5,7 @@ interactions:
       proto: HTTP/1.1
       proto_major: 1
       proto_minor: 1
-      content_length: 2036
+      content_length: 1367
       host: api.osv.dev
       body: |
         {
@@ -17,13 +17,6 @@ interactions:
               },
               "version": "3.4.3-r1"
             },
-            {
-              "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "alpine-baselayout"
-              },
-              "version": "3.4.3-r1"
-            },
             {
               "package": {
                 "ecosystem": "Alpine:v3.18",
@@ -45,13 +38,6 @@ interactions:
               },
               "version": "1.36.1-r7"
             },
-            {
-              "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "busybox"
-              },
-              "version": "1.36.1-r7"
-            },
             {
               "package": {
                 "ecosystem": "Alpine:v3.18",
@@ -73,20 +59,6 @@ interactions:
               },
               "version": "3.1.7-r0"
             },
-            {
-              "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "openssl"
-              },
-              "version": "3.1.7-r0"
-            },
-            {
-              "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "musl"
-              },
-              "version": "1.2.4-r2"
-            },
             {
               "package": {
                 "ecosystem": "Alpine:v3.18",
@@ -101,13 +73,6 @@ interactions:
               },
               "version": "1.3.7-r1"
             },
-            {
-              "package": {
-                "ecosystem": "Alpine:v3.18",
-                "name": "busybox"
-              },
-              "version": "1.36.1-r7"
-            },
             {
               "package": {
                 "ecosystem": "Alpine:v3.18",
@@ -128,7 +93,7 @@ interactions:
       proto: HTTP/2.0
       proto_major: 2
       proto_minor: 0
-      content_length: 524
+      content_length: 276
       body: |
         {
           "results": [
@@ -138,8 +103,6 @@ interactions:
             {},
             {},
             {},
-            {},
-            {},
             {
               "vulns": [
                 {
@@ -152,26 +115,6 @@ interactions:
                 }
               ]
             },
-            {
-              "vulns": [
-                {
-                  "id": "ALPINE-CVE-2024-13176",
-                  "modified": "2026-02-08T14:17:02.498117Z"
-                },
-                {
-                  "id": "ALPINE-CVE-2024-9143",
-                  "modified": "2025-12-03T22:57:50.413061Z"
-                }
-              ]
-            },
-            {
-              "vulns": [
-                {
-                  "id": "ALPINE-CVE-2025-26519",
-                  "modified": "2025-12-11T11:16:21.978419Z"
-                }
-              ]
-            },
             {
               "vulns": [
                 {
@@ -181,13 +124,12 @@ interactions:
               ]
             },
             {},
-            {},
             {}
           ]
         }
       headers:
         Content-Length:
-          - "524"
+          - "276"
         Content-Type:
           - application/json
       status: 200 OK