feat: add vulnerable version ranges to CycloneDX output

[somaz94]

This populates the affects[].versions[] entries in Grype's CycloneDX output, addressing #3512.

Today the CycloneDX affects array only carries a ref, so consumers cannot tell from the
CycloneDX document whether a vulnerability has a fix available. This change adds:

• the matched package version, recorded with status affected
• for vulnerabilities with known fixed-in versions, each fix as a vers-syntax range
  (vers:<scheme>/>=<version>) with status unaffected, so consumers can spot available
  fixes and automate remediation

The vers scheme is derived from the package PURL type and falls back to generic. When
neither a version nor a fix is known, the versions array is omitted (no change for those).

One design point worth your read: I model the fix boundary as >=<fixedVersion> / unaffected
rather than a <<fixedVersion> / affected range, because Grype reliably knows the fix version
and the matched version but not the introduced version. Happy to switch to the affected-range
form if you prefer.

Validation (run locally):

• go test ./grype/presenter/cyclonedx/... passes; added table-driven tests covering the
  affected / single fix / multiple fixes / not-fixed / missing-PURL / empty cases
• regenerated the CycloneDX golden files with -update and reviewed the diff
• go build ./..., gofmt, go vet, and golangci-lint run on the package are clean (no new findings)

closes #3512