fix: version compare can't handle + in version numbers

[terriko]

The new version compare function isn't handling + in version numbers, so I was able to trigger a comparison error when scanning binutils.

We can probably do the same with + as we do with - and _, that is convert it to . and treat it as a separator.

This is probably a pretty easy good first issue for someone: look in cve_bin_tool/version_compare and see where we have code like this for _ and -:

    versionString = versionString.replace("_", ".")

Then add another line to change + to . too.

[perrinjerome]

I think that's the problem I observed, with a requirements.txt containing:

paramiko==2.0.0

$ cve-bin-tool --offline requirements.txt
....
CannotParseVersionException: version string = 2.0.0.1+deb9u1

This version comes from https://storage.googleapis.com/debian-osv/dla-osv/DLA-2860-1.json which has a "fixed": "2.0.0-1+deb9u1"

I'm sending a pull request.