Make CVE JSON compatible with VEX

[zmanion]

From today's SPWG meeting, the current CVE JSON format (unsurprisingly) almost implements VEX, as defined here:

https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf

Should CVE JSON be compatible with VEX?

At a glance, changes would need to be made to status, and some additional VEX-specific fields would need to be added, such as:

• not_affected/justification
• action_statement
• impact_statement
• some timestamps (maybe, may be able to reuse existing timestamps)

Status justification would need a definition.

See also #8 which also includes CSAF integration, which I do not think is appropriate for CVE JSON.

[zmanion]

This proposal should perhaps be limited to provide simplified or "direct" VEX -- so that a reader can derive VEX from CVE only for directly affected (or unaffected, or unknown) products. IOW, what CVE already is able to express, that some product or range has some status, and not that CVE records would also need to be able to reference the upstream product or vulnerability.

Yes: CVE-1 VEX says that producxt P is affected by CVE-1.

No: CVE-1 VEX says that product P is affected by CVE-2 because P uses upstream U which is affected by CVE-2.

The second case would be nice to have, but would require a way for a CVE record to reference the upstream product and vulnerability, which is a bigger change and should/could be handled separately.