Vunnel should retain "not applicable" items so that grype can use them as negative evidence

[willmurphyscode]

What would you like to be added:

Right now, at least 2 vunnel providers (RHEL and Mariner), simply drop vulnerabilities that the feed considers "not applicable". Instead, we should keep them in the database with fixed status "not applicable" and version constraint < 0.

Why is this needed:

When matching, in order to avoid false positives, grype should be able to consider the explicit claim by the feed operators that a give package is not vulnerable as evidence that it is not vulnerable. Right now, a distro feed being silent on a given CVE, and a distro feed explicitly reporting that the CVE is not applicable to their package, both result in having no row in the grype database for that CVE/namespace/package. But the explicit claim by the feed operators that a given package is not vulnerable is valuable evidence and should be retained.

More details at anchore/grype#1426 for the reason grype should have access to negative matches.

Additional context:

Mariner provider dropping N/A matches:

vunnel/src/vunnel/providers/mariner/parser.py

Lines 152 to 153 in ee45d4e

	if d.metadata and d.metadata.patchable and d.metadata.patchable in IGNORED_PATCHABLE_VALUES:
	continue

RHEL provider dropping "Not affected" matches:

vunnel/src/vunnel/providers/rhel/parser.py

Lines 627 to 630 in ee45d4e

	elif state in [
	"New",
	"Not affected",
	"Under investigation",