/api/v1/sbom/{id}/advisory includes packages that do not belong to the SBOM

[carlosthe19916]

How to reproduce it:

• Start the backend and ingest all data from https://github.com/trustification/trustify/tree/main/etc/datasets/ds1
• Identify the Id of the SBOM ubi8-container (I did it using the UI). And then /api/v1/sbom/{id}/advisory. The response will be similar to https://gist.github.com/carlosthe19916/23668e2467573faaa3a87e779ec1889e#file-api_v1_sbom
• The response includes 2 resteasy packages one of them being this one: https://gist.github.com/carlosthe19916/23668e2467573faaa3a87e779ec1889e#file-api_v1_sbom_-id-_advisory-json-L92-L118

        "status": [
            {
                "normative": true,
                "identifier": "CVE-2023-0482",
                "title": null,
                "description": null,
                "reserved": null,
                "published": null,
                "modified": null,
                "withdrawn": null,
                "discovered": null,
                "released": null,
                "cwes": [],
                "average_severity": "medium",
                "status": "affected",
                "context": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:9:*:*:*"
                },
                "packages": [
                    {
                        "id": "",
                        "name": "resteasy",
                        "version": null,
                        "purl": [],
                        "cpe": []
                    }
                ]
            },

The response is mentioning "cpe": "cpe:/o:redhat:enterprise_linux:9:*:*:*" and that is the issue I think.

If you download the original SBOM file here ubi8-container.json and do grep you will see that only enterprise_linux v8 is mentioned but not v9 as the response given in the backend:

cferiavi@cferiavi$ grep "enterprise_linux" ubi8-container.json 
"referenceLocator": "cpe:/a:redhat:enterprise_linux:8::appstream",