Code review comment for ~flor-cabral/ubuntu-cve-tracker:CVE-2021-37146

There are quite a few things that needs fixing, but to give some more background, our package status line follow the pattern:
<product>/<release>_<source-pkg-name>: <status>
For Ubuntu archive the product is 'ubuntu', and therefore it can be omitted. So
ubuntu/xenial_<source-pkg-name>: <status>
is the same as
xenial_<source-pkg-name>: <status>
For other products that are not ubuntu archive, you will need to specify then.

Therefore:

1. the ros-kinetic line should be like:
   ros-esm/xenial_ros-kinetic-ros-comm: not-affected (<reason>)
   The product is ros-esm and it needs to be specified, otherwise this will be understood as ubuntu product.

   You see I've included a reason there, we always try to say why a package is not-affected. It could be because it was fixed in a previous version, then we would say for example:
   not-affected (1.2.3-1)

   It could be that it is not affected because the vulnerable code does not exist in that package version that we have, then we would have:
   not-affected (code not present)

2. The ros-melodic line has not only the same issue as above about the product, but also ros-melodic-ros-comm is not in the ros-esm-bionic-melodic-supported.txt at all. So you cannot have that line, if you do not have the package listed in the supported file.
   You will need to review and add if missing ros-melodic-ros-comm to the supported file.

   After you have done the above, the line will look like:
   ros-esm/bionic_ros-melodic-ros-comm: released (<version number>)

   Every released status needs a version number after it, being the version number the version that you fixed the CVE.