Update CyHy database to capture Known Exploited Vulnerability (KEV) data

[chelsgr]

Summary

Monitor https://www.cisa.gov/known-exploited-vulnerabilities-catalog to update the CyHy DB. Add KEVs collection and modify “tickets” collection to flag KEVs and use in notification, report, and scorecard updates.

Objectives

1. Add new collection in the DB for “known exploited” vulnerabilities #39, #40
2. Add KEV flag to tickets, so for each CVE the KEV can be set to either true or false depending on whether that CVE is present in the KEV catalog.
3. For tickets collection, handle KEVs like false positives (i.e. “known exploited” key, and event entry when a CVE’s KEV status changes). Example given was addressing a typo which is later fixed.

[chelsgr]

Following team discussions, it was understood there would already be a ticket for any vulnerabilities found from plugins available. Therefore, removed this requirement: "This collection should create a new entry for any CVEs found in the catalog that may not yet be listed in the NVD, as there could be plugins for reserved CVEs prior to NVD publication."

Per CyHy, it sounds like they are using NVD scoring first but if any plugin didn't have an NVD score it would go off of the default score provided by Tenable. Therefore, removed this requirement: "The CyHy team is interested in discussing special handling considerations for non-NVD (reserved) CVEs around severity, in order to report KEVs that may still be in a reserved CVE status without affecting the current severity rating model."