Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

tests/reachability/StellaOps.Replay.Core.Tests/ReplayManifestExtensionsTests.cs

@@ -0,0 +1,41 @@
+using System.Text.Json;
+using FluentAssertions;
+using StellaOps.Replay.Core;
+using Xunit;
+
+namespace StellaOps.Replay.Core.Tests;
+
+public sealed class ReplayManifestExtensionsTests
+{
+    [Fact]
+    public void AddsReachabilityEvidence()
+    {
+        var manifest = new ReplayManifest
+        {
+            Scan = new ReplayScanMetadata { Id = "scan-1" }
+        };
+
+        manifest.AddReachabilityGraph(new ReplayReachabilityGraphReference
+        {
+            Kind = "static",
+            Analyzer = "scanner/java",
+            CasUri = "cas://replay/graph",
+            Sha256 = "abc",
+            Version = "1.0"
+        });
+
+        manifest.AddReachabilityTrace(new ReplayReachabilityTraceReference
+        {
+            Source = "zastava",
+            CasUri = "cas://replay/trace",
+            Sha256 = "def"
+        });
+
+        manifest.Reachability.Should().NotBeNull();
+        manifest.Reachability!.Graphs.Should().HaveCount(1);
+        manifest.Reachability.RuntimeTraces.Should().HaveCount(1);
+
+        var json = JsonSerializer.Serialize(manifest);
+        json.Should().Contain("\"reachability\"");
+    }
+}

tests/reachability/StellaOps.Replay.Core.Tests/StellaOps.Replay.Core.Tests.csproj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
+    <PackageReference Include="xunit" Version="2.7.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.8">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="FluentAssertions" Version="6.12.0" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="../../../src/__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj" />
+  </ItemGroup>
+</Project>