Add CVE affectedness evidence gates

[alejandrorivas-pixel]

Bounty type

Skill Improvement bounty

Modified skill

skills/vuln-management/cve-triage/SKILL.md

Issue

Closes #1623

What was missing

cve-triage had strong CVSS/SSVC/EPSS/KEV prioritization, but it did not force reviewers to validate whether the exact deployed artifact is actually affected before assigning an SLA. That can over-prioritize distro/vendor backports, stale scanner results, build-only dependencies, dormant packages, or artifacts where the vulnerable code path is not reachable.

What changed

• Added Step 1A: Affectedness, Vendor Fixed Status, and Runtime Reachability.
• Added CVE-AFFECT-01 through CVE-AFFECT-06 gates for upstream-version false positives, backports, runtime reachability, deployment stage, artifact identity, and stale/scopeless VEX evidence.
• Added an Affectedness and Package Evidence output table.
• Tightened de-escalation guardrails so fixed/not-affected decisions require current evidence tied to the exact deployed artifact.
• Added benign and vulnerable fixtures for vendor-backported packages and upstream-version scanner findings without proof.

Validation

• git diff --check
• git diff --cached --check
• Markdown fence-balance check for touched files and fixtures
• ASCII check for touched files and fixtures
• Required marker checks for version: "1.1.0", Step 1A, CVE-AFFECT-01 through CVE-AFFECT-06, and Affectedness and Package Evidence
• Added-line sensitive-pattern scan; no real secrets or payment data included
• Reference URL checks returned HTTP 200 for Red Hat Security Data, Debian Security Tracker, and Ubuntu CVE Tracker

Payment

Payment details can be provided privately after maintainer acceptance.