Improve SBOM graph completeness and VEX credibility gates

[shapris]

Closes #1535

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: sbom-analysis
Skill path: skills/vuln-management/sbom-analysis/

What Was Wrong

The skill already checks NTIA minimum fields, VEX statuses, transitive dependency risk, and license conflicts, but #1535 highlights several gaps that can make a technically valid SBOM look more useful than it is:

• a flat list of transitive components can pass NTIA field checks without a usable dependency graph;
• VEX Not Affected entries can be treated as equally credible even when they are only vendor-attested;
• stale Under Investigation VEX entries are not explicitly escalated;
• SBOM freshness and build trustworthiness are mentioned as pitfalls but not represented in the structured output.

What This PR Fixes

This PR updates sbom-analysis to add:

• a graph completeness gate for traceable transitive dependency paths;
• VEX credibility fields including verification_status, verification_evidence, verification_date, and vex_credibility;
• stale VEX detection for unresolved Under Investigation entries;
• structured SBOM freshness and trustworthiness checks;
• a new examples file with vulnerable and benign calibration cases.

Evidence

Before (SBOM fields present but graph not useful):

ntia_minimum_elements:
  dependency_relationship: 100%
dependency_graph:
  graph_depth: 1
  transitive_parent_linkage: missing

After (now separately classified):

graph_completeness:
  graph_completeness_rating: Flat List
  transitive_parent_linkage: missing
  finding: NTIA fields present, graph incomplete

Before (VEX status treated as enough):

vex:
  status: Not Affected
  justification: vulnerable_code_not_in_execute_path

After (now credibility-scored):

vex:
  status: Not Affected
  verification_status: vendor_attested
  vex_credibility: Medium
  action: verify reachability before closing critical risk

Test Cases Added/Updated

• Added vulnerable examples in sbom-quality-examples.md
• Added benign examples in sbom-quality-examples.md
• Existing markdown structure validated locally

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto or PayPal, to be provided privately after acceptance

Validation

• git diff --check passed locally.
• Markdown fence balance checked locally.
• Required markers checked locally: graph completeness, VEX credibility, freshness/trustworthiness, graph_completeness_rating, verification_status, vex_credibility, sbom_age_category, and stale_vex.