fix: make VulnerabilityReference arguments mandatory

[indiVar0508]

This issue is created from this thread re: #786 (comment)

It's been noticed that VulnerabilityReference class in implementation has defined the attributes id and source as optional
ref: https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/cyclonedx/model/vulnerability.py#L486...L497

but if we refer the documentation of cyclonedx

<bom:references      > [0..1] 
	Start Sequence [0..*] 
	<bom:reference            > [1] 
		<bom:id> xs:normalizedString </bom:id> [1] 
		<bom:source> bom:vulnerabilitySourceType </bom:source> [1] 
	</bom:reference> Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*] End Sequence 
</bom:references>

The refrences is optional but if a reference is defined id and source are mandatory, but current implementation treats these as optional

[jkowalleck]

please write a proper ticket. current ticket description is not helping, and requires detailed research for even understanding the scope.

[jkowalleck]

this fix will alter public API, and is therefore considered breaking change.
this is not a stoper, just a remark.

[jkowalleck]

i'll be working on this

[jkowalleck]

did some research.

• in v1.4 JSON scheme, both properties were mandatory: https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.schema.json#L1455-L1474
• in v1.4 XML schema, both properties were optional: https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.4.xsd#L1788-L1797
• in v1.5 XML schema, both were mandatory: https://github.com/CycloneDX/specification/blob/d570ffb8956d796585b9574e57598c42ee9de770/schema/bom-1.5.xsd#L3364-L3374

since JSON schema was chosen as the dominant schema, the one that serves as first spec implementation,
and since XML schema was "fixed" to work same as JSON schema,
I'd consider it canon/spec that both properties were always mandatory.