Fetch SBOM components that match an advisory

Why are we doing this work

In order to add vulnerabilities for a newly ingested advisory, we need to fetch all the SBOM components that match that advisory, in all projects.

Further details

• Join Sbom::Occurrence and Sbom::Component to select all SBOM components that match a PURL type and package name.
• Also join Sbom::ComponentVersion to get the version, and match it against the affected range.
• Also join Sbom::Source to extract the input file from the source. See DependencyScanning::FindingBuilder.
• Return all the information needed to filter and create the vulnerability finding: project, pipeline, input_file, purl_type, package_name, and version.

NOTE: A project might depend on multiple version of a package, so a newly ingested advisory might match multiple SBOM components of the same project.

Relevant links

• Add service to match new advisory against the S... (#371065 - closed)
• #371065 (comment 1491397450)

Non-functional requirements

• [-] Documentation
• [-] Feature flag
• Performance:
• Testing: add specs

Implementation plan

Add fetcher class. TBD.

Verification steps

• Verified as part of Add service to match new advisory against the S... (#371065 - closed).
  • Verified here.

/cc @adamcohen @hacks4oats