I did something similar (scan an application that uses a package manager that is not supported by IQ), and I found IQ to be rather useless for that usage…
It has an API endpoint to ingest SBOMs, but the SBOM need to provide all the information (including vulnerabilities). So it seemed that one needed to scan their application themselves to be able to import the results into IQ…