Code review comment for ~eslerm/ubuntu-cve-tracker:cna-info

For context of how this is will be use, these dictionary keys are present in the CVE List and NVD's CVE datasets. By having a lookup table, we _could_ use CNA information in UCT.

One example is to identify CNA during initial CVE Triage and if a CNA has never assigned a CVE in UCT _yet_, it is a heuristic.

Another is to address https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/2054762 where we are blanket attributing NVD for (nearly) all CVSS scores which are not generated by ubuntu. Attributing CNAs properly is not only technically correct, but drives priority* and could become a heuristic for triagers. (*iiuc, only NVD scores drive FedRAMP priority)