Clearly state what not mentioning a product in product_status means

[tschmidtb51]

We need to clearly state that the interpretation for products not given in the CSAF document is "there is no information in that CSAF document about this product".

Reasoning

There are multiple ways to structure a CSAF document, e.g.

• 1 vulnerability, 1 product
• n vulnerabilities, 1 product
• 1 vulnerability, m products
• n vulnerabilities, m products

Usually, the CSAF documents are assembled during a coordination case and contain the findings of the case which might be any of the combinations above. Sometimes, the issuing party decides to do multiple CSAF documents for one case (or one to combine multiple related cases).

If a CSAF document I lists "Product A version 17.4.3" as fixed, we can't assume anything about "Product A version 17.3.3" or "Product A version 16.8.4". This might be affected, it might be fixed as well. We just know from CSAF document I that "Product A version 17.4.3" is fixed.
There might be another CSAF document II that lists "Product A version 17.3.3" as fixed. Also from that CSAF document II, we don't know anything about "Product A version 16.8.4".