Include different narrower policies so users can configure how they want output data modified (if at all)

[JosiahOne]

Include different narrower policies so users can configure how they want output data modified (if at all). Some options:
In general:

  Option to treat "unknowns" (e.g. no patch available for analysis) as "predicted as relevant" (conservative)

    
  Option to treat "unknowns" as "predicated as NOT relevant" (noise reduction)

For the error code:

  Exit code equals how many vulns were predicted to affect the project

    
  Exit code equals how many vulns were not predicted to affect the project

    
  Always return 0

For the krefst output data:

  Increase CVSS for each vuln if predicted to affect the project

    
  Reduce CVSS for each vuln if predicted to not affected the project

For the CycloneDX output data (severities):

  Add new vuln rating (a Narrow rating) with CVSS score increased if vuln is predicted to affect the project

    
  Add new vuln rating (a Narrow rating) with CVSS score decreased if vuln is predicted to not affect the project

For the CycloneDX output data (analysis):

  Assign exploitable for each vuln predicted to affect the project

    
  Assign not_affected (and justification set to code_not_reachable) for each vuln predicted to not affect the project

    
  Assign in-triage if unknown