## Summary The CVS (Continuous Vulnerability Scanning) ingestion flow needs to be updated to ensure that a vulnerability finding is created for each `sbom_occurrence_ref` that is associated with an `sbom_occurrence` where an applicable Package Advisory has been identified. ## Problem Currently, the CVS ingestion flow may not be creating vulnerability findings for all branch-specific SBOM occurrences when Package Advisories are matched. This is critical for supporting dependencies across multiple branches. ## Proposed Solution Update the CVS ingestion flow to: - Identify all `sbom_occurrence_ref` records associated with an `sbom_occurrence` that has a matching Package Advisory - Create a vulnerability finding for each of these references to ensure branch-specific vulnerability tracking - Ensure the findings are properly linked to their respective branches/refs ## Acceptance Criteria - [ ] CVS ingestion creates vulnerability findings for each `sbom_occurrence_ref` when a Package Advisory matches - [ ] Findings are correctly associated with their respective branches - [ ] No duplicate findings are created for the same vulnerability on the same ref - [ ] Database queries are optimized to handle this at scale ## Related Epic: #18681