feat(vex): add support for OWASP Risk Ratings in VEX documents

[fahedouch]

Why this change?

The CycloneDX spec now recommends that tools consider ratings when prioritizing vulnerabilities (spec PR #722):

"Consumers SHOULD consider ratings in prioritization decisions"

This PR lets Trivy use context-aware OWASP Risk Ratings from CycloneDX VEX documents. These ratings are generated by tools like vens (available in the Trivy plugin index) and provide context-specific risk scores based on factors like network exposure, data sensitivity, etc.

What's changed

• Added an OWASPRating field to DetectedVulnerability (optional with omitempty)
• VEX processing now enriches vulnerabilities with OWASP ratings from CycloneDX VEX ratings blocks

Example output

{
  "VulnerabilityID": "CVE-2011-3374",
  "Severity": "LOW",
  "OWASPRating": {
    "score": 27.5,
    "severity": "medium",
    "vector": "SL:7/M:7/O:7/S:7/ED:4/EE:4/A:4/ID:5/LC:5/LI:5/LAV:5/LAC:5/FD:5/RD:5/NC:5/PV:5"
  }
}

Why this matters

This brings context-aware vulnerability prioritization to Trivy. The same CVE can have different risk scores depending on how and where it's deployed. For example, a vulnerability in an internet-facing service is way more critical than the same one buried in an isolated internal component.

This complements the generic CVSS approach with environment-specific assessment, which aligns with what the CycloneDX spec now recommends. And it's fully backward compatible, so existing workflows won't be affected.

Remove this section if you don't have related PRs.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[github-actions]

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/types
  Compatible changes:
  - DetectedVulnerability.OWASPRating: added
  - OWASPRating: added

github.com/aquasecurity/trivy/pkg/vex
  Incompatible changes:
  - VEX.EnrichWithRatings: added
  Compatible changes:
  - (*CSAF).EnrichWithRatings: added
  - (*CycloneDX).EnrichWithRatings: added
  - (*OpenVEX).EnrichWithRatings: added
  - (*RepositorySet).EnrichWithRatings: added
  - (*SBOMReferenceSet).EnrichWithRatings: added
  - Statement.OWASPRating: added