VCIO-next: Do not mix unrelated affected and fixed packages

[pombredanne]

In the UI and API, we should not mix unrelated affected and fixed packages.
For instance for https://public.vulnerablecode.io/vulnerabilities/VCID-pst1-g1u7-aaan for CVE-2022-21704, the affected "pkg:npm/log4js@0.1.0" is surely not fixed by "pkg:deb/debian/node-log4js@0.6.18-1" ... these are related but completely different PURLs.

• "pkg:npm/log4js@0.1.0" MUST be fixed by a "pkg:npm/log4js"
• "pkg:deb/debian/node-log4js@0.6.18-1" must be fixing some "pkg:deb/debian/node-log4js"

For the UI, see:

• Consolidate 'Fixed by packages' tab and 'Affected packages' tab in Vulnerability details page #1287

[pombredanne]

This has been implemented and fixed in the UI by @johnmhoran (Thanks!)

We still need to do the work in the API:

[TG1999]

Will fix this in V2 API.

[pombredanne]

The new API v2 has different semantics and is always by package therefore this does not apply there anymore. Closing now!