Add details of "wont-fix" state

[eram]

What would you like to be added: Currently, some vulnerabilities are marked with fix.state="wont-fix". I'd like any references to advisories suggesting the vulnerability is a false-positive would be added, possibly under the advisories array. This should include a reasonning message and source/author.

Why is this needed: It is unclear how and why this "decision" that a vulnerability is a false-positive was made. Where did the "wont-fix" come from and who made the decision? Was it made in the context of the specific image, or what.

Additional context: I would expect a short VEX entry to be added to the CycloneDX vulnerability analysis object as well - https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_analysis_state Related issue: https://github.com/anchore/grype/issues/386