[FEATURE] Support VEX without needing Components

[madpah]

As per this CycloneDX example, it is valid to have a CycloneDX document that includes just VEX data and through use of CycloneDX BomLink link to Components held in a separate CycloneDX document.

This mechanism allows for real-world Use Cases as the composition of a piece of software is fixed at a given point in time, whereas the known Vulnerabilities (or a Supplier's response to known Vulnerabilities) changes over time.

The adage: "Software ages like milk not wine" applies.

At present in cyclonedx-python-lib, the data model is structured such that Vulnerabilities are added to Component instances. The serialisers in this library also assume that Vulnerability data is only present if there are Components too.

This Feature should:

1. Allow for Vulnerability (VEX) data to be modelled without modelling Components fully
2. Enable consideration for bom-ref's that utilise CycloneDX BomLink

FYI @jkowalleck

[madpah]

The suggested plan to tackle this is to:

1. Update cyclonedx.model.bom.Bom to have a SortedSet of Vulnerability
2. Remove SortedSet of Vulnerability in cyclonedx.model.component.Component, but look to retain the existing method for adding a Vulnerability that relates to a Component to minimise breaking changes

Considerations remaining:

1. Should BomLinks be enforced / validated against external CycloneDX documents? If so, how? (note: this would probably require resolution/implementation of [FEATURE] Deserialize(denormalize) JSON/XML documents to Python objects(data model) #185)
2. Potentially review Bom.validate() logic as given BomLink, items could be referred to in another CDX document

[madpah]

Included in 4.0.0 - now released.