Risk contextualization in Openvex statements

[0x74696D]

I’m not sure this is the best way to frame it, but it would be a valuable addition to OpenVEX statements to support risk contextualization. This would allow maintainers to adjust the raw CVE severity based on context, helping bridge the gap between simple affected / not_affected statements.

For example, a contextualized_cvss or contextualized_score field could capture cases where a CVE is detected and the package is present, but the vulnerable code path is not used or is otherwise mitigated, resulting in minimal/reduced impact.

[fahedouch]

I'm glad to see that I'm not the only one requesting this feature openvex/spec#60