Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/CryptoProGostCryptoProvider.cs

@@ -0,0 +1,87 @@
+using System;
+using System.Collections.Generic;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Cryptography;
+using StellaOps.Cryptography.Plugin.Pkcs11Gost;
+
+namespace StellaOps.Cryptography.Plugin.CryptoPro;
+
+public sealed class CryptoProGostCryptoProvider : ICryptoProvider, ICryptoProviderDiagnostics
+{
+    private readonly Pkcs11GostProviderCore core;
+
+    public CryptoProGostCryptoProvider(
+        IOptions<CryptoProGostProviderOptions>? optionsAccessor = null,
+        ILogger<CryptoProGostCryptoProvider>? logger = null)
+    {
+        var options = optionsAccessor?.Value ?? new CryptoProGostProviderOptions();
+        var mappedKeys = new List<Pkcs11GostKeyOptions>(options.Keys.Count);
+        foreach (var key in options.Keys)
+        {
+            mappedKeys.Add(MapToPkcs11Options(key));
+        }
+
+        core = new Pkcs11GostProviderCore("ru.cryptopro.csp", mappedKeys, logger);
+    }
+
+    public string Name => core.ProviderName;
+
+    public bool Supports(CryptoCapability capability, string algorithmId)
+    {
+        if (capability is CryptoCapability.Signing or CryptoCapability.Verification)
+        {
+            return core.SupportsAlgorithm(algorithmId);
+        }
+
+        return false;
+    }
+
+    public IPasswordHasher GetPasswordHasher(string algorithmId)
+        => throw new NotSupportedException("CryptoPro provider does not expose password hashing.");
+
+    public ICryptoSigner GetSigner(string algorithmId, CryptoKeyReference keyReference)
+    {
+        ArgumentNullException.ThrowIfNull(keyReference);
+        var entry = core.Resolve(keyReference.KeyId);
+        if (!string.Equals(entry.AlgorithmId, algorithmId, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new InvalidOperationException(
+                $"Signing key '{keyReference.KeyId}' is registered for algorithm '{entry.AlgorithmId}', not '{algorithmId}'.");
+        }
+
+        return new Pkcs11GostSigner(entry);
+    }
+
+    public void UpsertSigningKey(CryptoSigningKey signingKey)
+        => throw new NotSupportedException("CryptoPro keys are managed externally.");
+
+    public bool RemoveSigningKey(string keyId) => false;
+
+    public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
+        => Array.Empty<CryptoSigningKey>();
+
+    public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys()
+        => core.DescribeKeys(Name);
+
+    private static Pkcs11GostKeyOptions MapToPkcs11Options(CryptoProGostKeyOptions source)
+    {
+        ArgumentNullException.ThrowIfNull(source);
+
+        return new Pkcs11GostKeyOptions
+        {
+            KeyId = source.KeyId,
+            Algorithm = source.Algorithm,
+            LibraryPath = source.LibraryPath,
+            SlotId = source.SlotId,
+            TokenLabel = source.TokenLabel,
+            PrivateKeyLabel = source.ContainerLabel,
+            UserPin = source.UserPin,
+            UserPinEnvironmentVariable = source.UserPinEnvironmentVariable,
+            SignMechanismId = source.SignMechanismId,
+            CertificateThumbprint = source.CertificateThumbprint,
+            CertificateStoreLocation = source.CertificateStoreLocation.ToString(),
+            CertificateStoreName = source.CertificateStoreName.ToString()
+        };
+    }
+}