Set CVSS vectors during vulnerability scanning

This fixes an issue where cvss information is missing if SBoM-based
dependency scanning ran in the pipeline.

Changelog: fixed
EE: true