fix(trivy): prevent import crash on legacy reports with missing Class field

[stevewallone]

Description

Fixes #15005. Importing a legacy-format Trivy report that has no Class field crashes the import pipeline after parsing succeeds, with TypeError: expected string or bytes-like object, got 'NoneType' in clean_tags. The parser set unsaved_tags entries to None (e.g. ['debian', None]); clean_tags then ran TAG_PATTERN.sub("_", None) and raised, aborting the whole import.

Two-part fix:

• dojo/validators.py — clean_tags now drops None entries instead of crashing. This defends the pipeline against any parser that emits a None tag, not just Trivy.
• dojo/tools/trivy/parser.py — all four unsaved_tags assignments now filter out falsy values at the source, so legacy reports keep their real tag (debian) and simply omit the missing Class.

Test results

Extended the suite (both run green):

• unittests/test_validators.py (new) — clean_tags with None entries, mixed, all-None, plus existing string/list/empty/invalid-type behavior.
• unittests/tools/test_trivy_parser.py — asserts the legacy fixture's findings contain no None tags.

Verified end-to-end on a live 2.59.0 instance: before the fix the import returns HTTP 500 (and leaks 1 partial finding); after, HTTP 201 with all 93 findings (0 Critical / 18 High / 9 Medium / 65 Low / 1 Info), each tagged debian.

Documentation

None needed — bug fix, no behavior/config/model surface change.

Checklist

• Rebased against the very latest dev.
• Submitted against dev (a bug fix; CONTRIBUTING.md permits dev or bugfix).
• Meaningful PR name (usable in release notes).
• Ruff compliant (ruff.toml).
• Python 3.13 compliant.
• Not a new feature — no docs required.
• No model changes — no migrations.
• Tests added.
• Label bugfix — I can't set labels as an external contributor; please apply on triage.

Targeted dev per CONTRIBUTING.md; happy to retarget to bugfix if you'd prefer it in a patch release.