Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/Aoc/__Tests/StellaOps.Aoc.Tests/AocWriteGuardTests.cs

@@ -27,12 +27,42 @@ public sealed class AocWriteGuardTests
         }
         """);
 
-        var result = Guard.Validate(document.RootElement);
-
-        Assert.True(result.IsValid);
-        Assert.Empty(result.Violations);
-    }
-
+        var result = Guard.Validate(document.RootElement);
+
+        Assert.True(result.IsValid);
+        Assert.Empty(result.Violations);
+    }
+
+    [Fact]
+    public void Validate_AllowsLinksAndAdvisoryKey_ByDefault()
+    {
+        using var document = JsonDocument.Parse("""
+        {
+          "tenant": "default",
+          "source": {"vendor": "osv"},
+          "upstream": {
+            "upstream_id": "GHSA-xxxx",
+            "content_hash": "sha256:abc",
+            "signature": { "present": false }
+          },
+          "content": {
+            "format": "OSV",
+            "raw": {"id": "GHSA-xxxx"}
+          },
+          "linkset": {},
+          "links": [
+            { "scheme": "cve", "value": "CVE-2025-0001" }
+          ],
+          "advisory_key": "ghsa-xxxx"
+        }
+        """);
+
+        var result = Guard.Validate(document.RootElement);
+
+        Assert.True(result.IsValid);
+        Assert.Empty(result.Violations);
+    }
+
     [Fact]
     public void Validate_FlagsMissingTenant()
     {