Improve output when CVEs are set to "Ignore" or "Mitigated"

[terriko]

Right now, we report the number of CVEs found even if our triage then says we want to ignore them. This probably isn't what we want. We should instead report

1. the number of CVEs found minus any that are ignored or mitigated
2. a count of CVEs that are ignored or mitigated (so these are known and can be re-evaluated if needed)

[terriko]

• related test: Add triage to requirements test to address aiohttp disputed cve #1746

[terriko]

Realized we probably don't want to report "mitigated" issues either, changed title and comment to reflect that.

[anthonyharrison]

There are also instances where the reported numbers don't seem to be adding up. I tried this when disabling a data source which seems to introduce a few issues.

There are 29 CVEs identified by cve_scanner but the summary only shows 27 CVEs - this is becuase there are CVEs with UNKNOWN severity which are not included in the summary.

It states that there are 7 files but there are 8 files shown. This is becuase a product was being added if there ARE CVEs but if all the CVEs are from a disabled data source, the products was still being included.