fix: the bom generation for trivy was using pydantic and bom-ref was converted...

fix: the bom generation for trivy was using pydantic and bom-ref was converted to bom_ref. This caused trivy to not report vulnerabilities. This updates the bom generation to just directly go from the dictionary to json.