Readme for VEX Flag use cases

[sparrell]

This sets the stage for the VEX flag use cases

[davaya]

As part of the process check, the README includes a note to include a link to the Healthcare PoC. Reviewers could: 1) create another PR to add the link, or 2) use the GitHub process to suggest that the PR submitter add the link: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_healthcare_update-2021-04-29.pdf, perhaps with additional information https://healthitsecurity.com/features/using-software-bill-of-materials-sboms-for-medical-device-security

2 is by far the lower overhead approach, so please consider this a review comment.

[davaya]

My only other review comment is that VEX is described as a profile of CSAF (see also https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), The relationship between SBOM documents and VEX flags is not clear; it would be helpful to include a reference to CSAF documents as a source of VEX flag values.

dpk review: Approve this PR, work on CSAF text for a future PR.

[dlemire60]

I'm reading the README file on @sparrell's fork / vex0 branch for simplicity / clarity. Notes:

• The info on the use case naming needs to appear earlier, around "VEX Flag Distinctions", as currently the names are used before they are explained
• In the SBOM section I'm very confused by Completeness: "contains known-unknowns (i.e. specific denoted known-unknowns)"; what does it mean for an unknown to be "specific denoted / delineated"? (latter term used in next bullet)

Neither of which is a reason not to merge this material into the PACE repo, so 👍 from me.