Update CVS ingestion flow to create vulnerability findings for each sbom_occurrence_ref with applicable Package Advisory

Summary

The CVS (Continuous Vulnerability Scanning) ingestion flow needs to be updated to ensure that a vulnerability finding is created for each sbom_occurrence_ref that is associated with an sbom_occurrence where an applicable Package Advisory has been identified.

Problem

Currently, the CVS ingestion flow may not be creating vulnerability findings for all branch-specific SBOM occurrences when Package Advisories are matched. This is critical for supporting dependencies across multiple branches.

Proposed Solution

Update the CVS ingestion flow to:

Identify all sbom_occurrence_ref records associated with an sbom_occurrence that has a matching Package Advisory
Create a vulnerability finding for each of these references to ensure branch-specific vulnerability tracking
Ensure the findings are properly linked to their respective branches/refs

Acceptance Criteria

CVS ingestion creates vulnerability findings for each sbom_occurrence_ref when a Package Advisory matches
Findings are correctly associated with their respective branches
No duplicate findings are created for the same vulnerability on the same ref
Database queries are optimized to handle this at scale

Epic: #18681

Edited Nov 24, 2025 by 🤖 GitLab Bot 🤖

Update CVS ingestion flow to create vulnerability findings for each sbom_occurrence_ref with applicable Package Advisory

Summary

Problem

Proposed Solution

Acceptance Criteria

Related