Add vulnerabilities to CDX SBOM export

Problem to solve

The API allows user to generate a CycloneDX SBOM for the project, and that SBOM contains licenses detected by GitLab License Scanning. However, it doesn't contain vulnerabilities detected by GitLab Vulnerability Scanning.

Proposal

Add vulnerabilities detected by Vulnerability Scanning to the generated CycloneDX SBOM. This should include vulnerabilities reported by scanning jobs running in the CI as well as those detected by Continuous Vulnerability Scanning in the backend.

Eventually this would be ported to the SBOM downloaded from the Dependency List. See Dependency list exports in CycloneDX SBoM forma... (#407453 - closed)

This improvement can meet potential customers' requirements regarding the software supply chain. In some cases, OEMs may require tier 1 suppliers to submit an SBOM, including vulnerability information, at that point.