Make distinction between patched and unaffected packages

[sbs2001]

We currently put packages into just two categories

1. ImpactedPackage , these are affected by the particular vulnerability and are not secure to use.
   2.)ResolvedPackage , these are unaffected by the particular vulnerability , atleast they are supposed to be . This category includes a) packages which were affected by a vulnerability and then got fixed as well as b) packages which weren't affected when the vulnerability was discovered.

Do we need to make the distinction between (a) & (b) ? I believe we should after the following chat with @haikoschol gave the following reason

there could be a case where a user wants to know when a vulnerability was introduced. let's say there's a very complicated vulnerability and a "fix" is published but it is controversial whether this fixes the vulnerability properly or only one attack vector
otoh, if we make this distinction in our data model because the data sources we are looking at contain it, how do we handle data sources that don't contain this information?

[sbs2001]

Fixed via #436 . We keep track of vulnerable package and it's closest non-vulnerable package(version-wise), aka patched package.