When `--subcomponents` flag is used, value supplants the value of `--products`

[chipzoller]

Version: v0.2.0

If I pass the --subcomponents flag with a value while the --products flag is present with a value, the output document uses the value of the --subcomponents flag in the products[] array and disregards entirely the value passed to the --products flag. There are no subcomponents then listed:

vexctl create --product="pkg:apk/wolfi/trivy@0.36.1-r0?arch=x86_64" --vuln="CVE-2023-12345" --status="not_affected" --justification="component_not_present"
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-0b10f59a0f9a9010440ee2eb26db340613ca904057b3452e7d6c03f2517dd877",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2023-07-05T20:31:02.859885-05:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-12345",
      "products": [
        "pkg:apk/wolfi/trivy@0.36.1-r0?arch=x86_64"
      ],
      "status": "not_affected",
      "justification": "component_not_present"
    }
  ]
}
➜  bin vexctl create --product="pkg:apk/wolfi/trivy@0.36.1-r0?arch=x86_64" --subcomponents="pkg:apk/foo/bar@0.1.1?arch=x86_64" --vuln="CVE-2023-12345" --status="not_affected" --justification="component_not_present"
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-a89f0044bd13887a978477a60c00a2ae0282840a54b819cdd86ced19080bcbb4",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2023-07-05T20:31:09.11083-05:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-12345",
      "products": [
        "pkg:apk/foo/bar@0.1.1?arch=x86_64"
      ],
      "status": "not_affected",
      "justification": "component_not_present"
    }
  ]
}

[chipzoller]

Even on HEAD I'm still seeing this.