OSV can't point at two paths for a single datasource.

This means that ./malicious and ./withdrawn can't both be parsed without also collecting all the Yaml and JSON files across the rest of the repository.

To solve this issue we can move both paths under a common directory that only contains OSV. e.g. ./osv or ./reports.

This would look like ./osv/malicious and ./osv/withdrawn.