from
Creates a RetrievedProvider from a provider-metadata.json document (represented by the Provider data class) from a domain according to the retrieval rules.
CSAF standard section * 7.1.8 states that "It is possible to advertise more than one provider-metadata.json by adding multiple CSAF fields ... However, this SHOULD NOT be done and removed as soon as possible.", plus "If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF entry in the security.txt."
That means, if we do not return more than one valid Provider, then the first CSAF entry in security.txt is guaranteed to be identical to the .well-known URL, hence resolution of security.txt in that case is useless unless we want to change our API such that it may resolve multiple Providers for an input domain.