Add omitempty to cve field for SAST reports

What does this MR do?

Adds omitempty to the cve field to align with the intent of the v15 security report schema. The cve field is deprecated and should not be populated by analysers producing v15-compliant reports.

This had originally been implemented in !38 (diffs) but then reverted as part of !48 (merged) to retain v14 support.

What are the relevant issue numbers?

• gitlab-org/gitlab#375364 (closed)
• gitlab-org/gitlab#368371 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Ensure the report version matches the equivalent schema version
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer