Improve SBOM graph completeness and VEX credibility gates

[ManuelSalcedo2770]

/claim #1535

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: sbom-analysis
Skill path: skills/vuln-management/sbom-analysis/

What Was Wrong

Issue #1535 documented that sbom-analysis could rate an SBOM as complete even when transitive dependencies were only flat-listed, and that the VEX output did not distinguish vendor-attested Not Affected statements from consumer-verified evidence. It also mentioned SBOM freshness/trustworthiness and stale Under Investigation VEX entries as pitfalls, but the skill did not require those fields in the structured output.

What This PR Fixes

• Adds a graph_completeness dimension to the NTIA completeness assessment, with Complete Graph / Partial Graph / Flat List / Missing Graph ratings.
• Adds VEX credibility and stale-investigation gates, including consumer_verified, third_party_verified, vendor_attested, and not_verified statuses.
• Adds SBOM freshness and trustworthiness assessment for age, version lag, CVE scan currency, generation source, provenance evidence, and signer identity.
• Updates overall classification criteria and output format so graph gaps, stale VEX, stale SBOMs, and missing provenance affect the final rating.
• Adds primary references for SLSA, in-toto, and Sigstore/cosign provenance.

Evidence

Before (skill misses this / false positive on this):

sbom_format: CycloneDX 1.5
ntia_completeness_rating: Complete
components:
  direct: 12
  transitive: 30
observed_issue: transitive components are listed, but no parent-child graph can trace which direct dependency introduced them

After (now correctly handled):

graph_completeness:
  root_component_identified: true
  traceable_components: "13/42"
  flat_list_indicator: true
  graph_completeness_rating: Flat List
ntia_completeness_rating: Partial

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

Added fixtures:

• flat-transitive-cyclonedx.json demonstrates a flat-list SBOM that should not be treated as graph-complete.
• vendor-attested-stale-vex.json demonstrates vendor-attested Not Affected plus stale Under Investigation VEX states.
• traceable-cyclonedx-with-provenance.json demonstrates a benign traceable dependency graph with generation/provenance evidence.
• consumer-verified-vex.json demonstrates a benign VEX entry with consumer verification evidence.

Validation

• git diff --check
• JSON parse validation for all four fixtures
• Markdown fence balance check for SKILL.md
• Required marker checks for graph_completeness, VEX credibility, stale investigation, freshness, provenance, and trustworthiness
• Local frontmatter validation matching .github/workflows/lint-skills.yml
• Local prompt-injection scan matching .github/workflows/injection-scan.yml

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal (details can be provided privately after maintainer acceptance)

Closes #1535