bug(vex): Trivy incorrectly suppresses vulnerabilities if the report contains orphan packages.

[DmitriyLewen]

Description

There are cases when a Trivy SBOM report contains an orphan package (see #9011).
This is related to an infinite loop in dependencies, e.g.:
e.g.

pkgA -> pkgB
pkbB -> pkbA

Therefore, for such packages, we cannot reach the root of the tree and must mark them as affected (!notAffected).

trivy/pkg/vex/vex.go

Line 211 in 8e40d27

return false

The vex package should handle such cases, similar to how it handles packages without a parent.