Update the vulnerability ElasticSearch reference to reflect the ref relationship and details

In order to correctly propagate ref information to ElasticSearch so that it may be used as a filter characteristic in the VulnerabilityReport, we will need to update the VulnerabilityReference to insert this value from vulnerability_reads once it has been added there.

This will thus also require a backfill migration to add the appropriate ref value back to the existing vulnerability_occurrence records so that this value can be used and filtered by.

Implementation Plan

Based on the existing VulnerabilityReference implementation and the ref-related infrastructure being built, here's the pseudocode diff for adding security_project_ref_id to the Elasticsearch mapping:

1. Update VulnerabilityReference Elasticsearch Mapping

# ee/app/models/elastic/vulnerability_reference.rb
class Elastic::VulnerabilityReference < ApplicationRecord
  include Elastic::ApplicationVersionedSearch

  def as_indexed_json(options = {})
    data = {
      id: vulnerability_read.vulnerability_id,
      project_id: vulnerability_read.project_id,
      severity: vulnerability_read.severity,
      state: vulnerability_read.state,
      report_type: vulnerability_read.report_type,
      scanner_name: vulnerability_read.scanner_name,
      title: vulnerability_read.title,
      description: vulnerability_read.description,
      location_image: vulnerability_read.location_image,
      identifiers: vulnerability_read.identifiers.map(&:name),
      owasp_top_10: vulnerability_read.owasp_top_10,
+     security_project_ref_id: vulnerability_read.security_project_ref_id,
      # ... other existing fields
    }
    data
  end

  mapping do
    indexes :id, type: :long
    indexes :project_id, type: :long
    indexes :severity, type: :keyword
    indexes :state, type: :keyword
    indexes :report_type, type: :keyword
    indexes :scanner_name, type: :keyword
    indexes :title, type: :text
    indexes :description, type: :text
    indexes :location_image, type: :keyword
    indexes :identifiers, type: :keyword
    indexes :owasp_top_10, type: :keyword
+   indexes :security_project_ref_id, type: :long
    # ... other existing field mappings
  end
end

2. Update VulnerabilityReference Population Logic

# ee/app/services/elastic/vulnerability_reference_service.rb
class Elastic::VulnerabilityReferenceService
  def populate_from_vulnerability_read(vulnerability_read)
    return unless vulnerability_read.project_security_ref_id.present?
    
    vulnerability_reference = Elastic::VulnerabilityReference.new
    vulnerability_reference.vulnerability_read = vulnerability_read
+   vulnerability_reference.security_project_ref_id = vulnerability_read.security_project_ref_id
    vulnerability_reference.save!
  end
end

3. Update Vulnerability Reads Model

# ee/app/models/vulnerabilities/read.rb
module Vulnerabilities
  class Read < ApplicationRecord
    belongs_to :vulnerability
    belongs_to :project
+   belongs_to :project_security_ref, class_name: 'Vulnerabilities::ProjectTrackedRef', optional: true

    # ... existing code

    def elasticsearch_ref_id
+     security_project_ref_id
    end
  end
end

The pseudocode assumes that the security_project_refs table and related infrastructure from issues #555980 (closed) and #555999 (closed) have been implemented as prerequisites.