Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/Signals/StellaOps.Signals/Models/ReachabilityFactDocument.cs

@@ -0,0 +1,98 @@
+using System;
+using System.Collections.Generic;
+using MongoDB.Bson;
+using MongoDB.Bson.Serialization.Attributes;
+
+namespace StellaOps.Signals.Models;
+
+public sealed class ReachabilityFactDocument
+{
+    [BsonId]
+    [BsonRepresentation(BsonType.ObjectId)]
+    public string Id { get; set; } = ObjectId.GenerateNewId().ToString();
+
+    [BsonElement("callgraphId")]
+    public string CallgraphId { get; set; } = string.Empty;
+
+    [BsonElement("subject")]
+    public ReachabilitySubject Subject { get; set; } = new();
+
+    [BsonElement("entryPoints")]
+    public List<string> EntryPoints { get; set; } = new();
+
+    [BsonElement("states")]
+    public List<ReachabilityStateDocument> States { get; set; } = new();
+
+    [BsonElement("metadata")]
+    [BsonIgnoreIfNull]
+    public Dictionary<string, string?>? Metadata { get; set; }
+
+    [BsonElement("computedAt")]
+    public DateTimeOffset ComputedAt { get; set; }
+
+    [BsonElement("subjectKey")]
+    [BsonRequired]
+    public string SubjectKey { get; set; } = string.Empty;
+}
+
+public sealed class ReachabilityStateDocument
+{
+    [BsonElement("target")]
+    public string Target { get; set; } = string.Empty;
+
+    [BsonElement("reachable")]
+    public bool Reachable { get; set; }
+
+    [BsonElement("confidence")]
+    public double Confidence { get; set; }
+
+    [BsonElement("path")]
+    public List<string> Path { get; set; } = new();
+
+    [BsonElement("evidence")]
+    public ReachabilityEvidenceDocument Evidence { get; set; } = new();
+}
+
+public sealed class ReachabilityEvidenceDocument
+{
+    [BsonElement("runtimeHits")]
+    public List<string> RuntimeHits { get; set; } = new();
+
+    [BsonElement("blockedEdges")]
+    [BsonIgnoreIfNull]
+    public List<string>? BlockedEdges { get; set; }
+}
+
+public sealed class ReachabilitySubject
+{
+    [BsonElement("imageDigest")]
+    [BsonIgnoreIfNull]
+    public string? ImageDigest { get; set; }
+
+    [BsonElement("component")]
+    [BsonIgnoreIfNull]
+    public string? Component { get; set; }
+
+    [BsonElement("version")]
+    [BsonIgnoreIfNull]
+    public string? Version { get; set; }
+
+    [BsonElement("scanId")]
+    [BsonIgnoreIfNull]
+    public string? ScanId { get; set; }
+
+    public string ToSubjectKey()
+    {
+        if (!string.IsNullOrWhiteSpace(ScanId))
+        {
+            return ScanId!;
+        }
+
+        if (!string.IsNullOrWhiteSpace(ImageDigest))
+        {
+            return ImageDigest!;
+        }
+
+        return string.Join('|', Component ?? string.Empty, Version ?? string.Empty).Trim('|');
+    }
+}

src/Signals/StellaOps.Signals/Models/ReachabilityRecomputeRequest.cs

@@ -0,0 +1,26 @@
+using System.Collections.Generic;
+
+namespace StellaOps.Signals.Models;
+
+public sealed class ReachabilityRecomputeRequest
+{
+    public string CallgraphId { get; set; } = string.Empty;
+
+    public ReachabilitySubject Subject { get; set; } = new();
+
+    public List<string> EntryPoints { get; set; } = new();
+
+    public List<string> Targets { get; set; } = new();
+
+    public List<string>? RuntimeHits { get; set; }
+
+    public List<ReachabilityBlockedEdge>? BlockedEdges { get; set; }
+
+    public Dictionary<string, string?>? Metadata { get; set; }
+}
+
+public sealed class ReachabilityBlockedEdge
+{
+    public string From { get; set; } = string.Empty;
+    public string To { get; set; } = string.Empty;
+}