Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/case.json

@@ -0,0 +1,46 @@
+{
+  "id": "python-urllib3-dos-regex-TBD",
+  "cve": "N/A",
+  "description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
+  "threat_model": {
+    "entry_points": [
+      "STUB: define concrete inputs"
+    ],
+    "preconditions": [
+      "STUB: feature flags / modules / protocols enabled"
+    ],
+    "privilege_boundary": [
+      "STUB: describe boundary (if any)"
+    ]
+  },
+  "ground_truth": {
+    "reachable_variant": {
+      "status": "affected",
+      "evidence": {
+        "symbols": [
+          "sym://python:python.c#sink"
+        ],
+        "paths": [
+          [
+            "sym://net:handler#read",
+            "sym://python:python.c#entry",
+            "sym://python:python.c#sink"
+          ]
+        ],
+        "runtime_proof": "traces.runtime.jsonl: lines 1-5"
+      }
+    },
+    "unreachable_variant": {
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "evidence": {
+        "pruning_reason": [
+          "STUB: feature disabled, module absent, or policy denies"
+        ],
+        "blocked_edges": [
+          "sym://python:python.c#entry -> sym://python:python.c#sink"
+        ]
+      }
+    }
+  }
+}