classes: don't scan for CVEs in images or packagegroups

There's no point even looking in the database for these, so unset CVE_PRODUCT.

(From OE-Core rev: f47da3e91541d75e1213dd9cf1f89ed16f21141a)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/classes/image.bbclass

@@ -674,3 +674,5 @@ reproducible_final_image_task () {
     fi
 }
 IMAGE_PREPROCESS_COMMAND_append = " reproducible_final_image_task; "
+
+CVE_PRODUCT = ""

meta/classes/packagegroup.bbclass

@@ -56,3 +56,4 @@ python () {
         bb.fatal("Please ensure that your setting of VIRTUAL-RUNTIME_init_manager (%s) matches the entries enabled in DISTRO_FEATURES" % initman)
 }
 
+CVE_PRODUCT = ""