Make creation of sbom_occurrences_vulnerabilities related to findings rather than vulnerabilities

Overview

Update the creation of sbom_occurrences_vulnerabilities records to associate them with security findings rather than vulnerabilities.

Background

Currently, sbom_occurrences_vulnerabilities records are created and linked to the vulnerabilities table. As part of the vulnerability data model refactoring to support tracking vulnerabilities across multiple branches, these records should instead be related to security findings, which represent the actual detected issues in a specific context.

Requirements

• Update the SBOM ingestion process to create sbom_occurrences_vulnerabilities records linked to findings instead of vulnerabilities
• Ensure the relationship correctly associates SBOM occurrences with the appropriate security finding records
• Maintain backward compatibility during the transition period
• Update any related queries or services that depend on this relationship

Implementation Notes

• This work is part of the broader vulnerability data model refactoring initiative
• Consider the impact on existing SBOM processing workflows
• Ensure performance is not negatively impacted by the relationship changes

Acceptance Criteria

• sbom_occurrences_vulnerabilities records are created with the correct finding association
• Existing SBOM functionality remains unaffected
• Tests cover the updated ingestion logic
• Related services correctly retrieve SBOM data through the new relationship