feat(reporting): add CVEs column from vulnerabilities.vulnInfoList

- Backend extracts cves[] array from f.vulnerabilities.vulnInfoList[].cve
- Frontend shows up to 2 CVE badges (purple) with "+N more" overflow tooltip
- Filter is multi-value aware: selecting a CVE matches any finding containing it
- FilterDropdown expands multi-value arrays into individual checkbox options
- Sort by CVE count (number of associated CVEs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/routes/ivantiFindings.js

@@ -127,6 +127,9 @@ function extractFinding(f) {
     // BU ownership: assetCustomAttributes['1550_host_1'] is an array like ["NTS-AEO-STEAM"]
     const buOwnership = f.assetCustomAttributes?.['1550_host_1']?.[0] || '';
 
+    // CVE list: vulnerabilities.vulnInfoList[].cve
+    const cves = (f.vulnerabilities?.vulnInfoList || []).map(v => v.cve).filter(Boolean);
+
     return {
         id: String(f.id),
         title: f.title || '',
@@ -139,7 +142,8 @@ function extractFinding(f) {
         slaStatus: f.slaStatus || '',
         dueDate,
         lastFoundOn: f.lastFoundOn || '',
-        buOwnership
+        buOwnership,
+        cves
     };
 }