docs: add CVE applicability evidence gates

[catcherintheroad-hub]

Summary

• Adds a CVE record status and product applicability gate before CVSS/EPSS/SSVC SLA assignment.
• Documents handling for rejected, disputed, modified, deferred, vendor not affected, fixed/backported, weak CPE match, and unknown/conflicting applicability cases.
• Adds edge-case fixtures covering rejected IDs, vendor not affected, distro backports, and disputed records.

Created from review issue

Fixes #1328

What was wrong

Scanner severity and CPE matches could be converted into emergency remediation SLAs before confirming whether the CVE record is usable, disputed/rejected, or applicable to the installed product/package. This can over-prioritize false positives such as rejected IDs, vendor not affected advisories, fixed distro backports, or optional code paths that are not present.

What changed

• Added Step 1A to require CVE status, NVD API status, vendor/VEX applicability, product match, version evidence, backport/epoch checks, and code-path presence.
• Added decision impacts for rejected, disputed, fixed, not affected, under investigation, weak CPE, and conflicting-source cases.
• Added an output table so final reports preserve the applicability decision and supporting evidence.
• Added tests in skills/vuln-management/cve-triage/tests/disputed-applicability-edge-cases.md.

Validation

• git diff --check
• Added-line non-ASCII scan
• Added-line prompt-injection marker scan
• Markdown code-fence balance check
• Reference URL checks for CVE dispute policy and NVD pages

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2f16f68fde

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Don't gate all Modified NVD records

When the NVD API returns Modified, this instruction treats the CVE like a disputed or incomplete record and requires extra authoritative evidence before escalation. The NVD status reference linked by this file defines Modified as a post-enrichment update, not an applicability dispute, so valid high-risk CVEs that are merely updated after analysis can be held out of Immediate/Out-of-Cycle handling unless separate vendor evidence is available. Reserve this gate for disputed/deferred/awaiting/undergoing-analysis signals, or record Modified without blocking escalation.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include all NVD API statuses in the output choices

The NVD API status set includes Received and UndergoingAnalysis, but this output template omits both, even though Step 1A specifically gates Undergoing Analysis. For newly published or actively enriched CVEs, the agent has to report Unknown instead of the actual NVD status, which loses the evidence explaining why an SLA was held or escalated. Add those statuses here and in the final report table so the applicability decision remains traceable.

Useful? React with 👍 / 👎.