security: OVAL: Only include CVEs that impact the given release (#998757)

We generate per-release oval feeds, e.g. oval-definitions-bullseye.xml. If a given release was never impacted by a given CVE, that CVE should not be included in the release's feed. Reasons why this might be the case include situations where a given release never contained a vulnerable version of a given package, e.g. a CVE impacts only versions 1.5 and earlier of the package, but the release contains version 2.0.