Improve CVE vendor applicability triage gates

[MAUROCERON]

Summary

Implements #1328 by adding a CVE status and vendor-applicability gate before CVSS/KEV/EPSS/SSVC-based SLA assignment in cve-triage.

Changes

• Adds evidence collection for CVE/NVD status, disputed/rejected tags, vendor or distro affected status, package epoch/release, CPE match confidence, and VEX/advisory evidence.
• Adds a dedicated applicability step so rejected, disputed, vendor-not-affected, fixed-by-backport, under-investigation, and low-confidence CPE matches do not get over-prioritized from scanner severity alone.
• Updates SLA assignment and report output to include applicability result and confidence before remediation timelines.
• Adds edge-case fixtures for rejected CVEs, vendor-not-affected code paths, disputed CVEs without vendor evidence, distro backports, container base-tag false positives, broad CPE matches, and under-investigation advisories.

Validation

• Markdown fence balance checked locally for both changed files.
• Remote branch content fetched and checked for marker presence plus encoding corruption.
• Duplicate check: issue [REVIEW] cve-triage: add disputed CVE and vendor-applicability evidence gates #1328 has no comments and no visible PR matching 1328 OR CVE disputed vendor applicability before this submission.
• Official references checked with HTTP 200: NVD Vulnerability Status, NVD CVE API, Ubuntu OSV/CVE status mapping, and Red Hat vulnerability management/backporting guidance.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.