feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates

[knqyf263]

Summary

When scanning CycloneDX SBOM files to add vulnerability information and re-outputting as CycloneDX, Trivy rebuilds the entire BOM structure, losing custom components and corrupting external properties with unwanted aquasecurity:trivy: namespace prefixes.

Problem Description

Main use case: Scan existing CycloneDX SBOM → Add vulnerabilities → Output CycloneDX SBOM

Current issues:

1. External properties get unwanted prefixes: custom:environment becomes aquasecurity:trivy:custom:environment
2. Custom components are lost: Custom components and custom elements are removed
3. SBOM structure is rebuilt: Original structure and relationships are not preserved

Example

# Generate base SBOM
./trivy image alpine:3.18 --format cyclonedx --output base.json

# Add custom properties and application component
jq '
.metadata.component.properties += [{"name": "custom:environment", "value": "test"}] |
.components += [{
  "type": "application",
  "bom-ref": "custom-app@1.0.0",
  "name": "custom-app", 
  "version": "1.0.0",
  "properties": [{"name": "custom:app-type", "value": "test-application"}]
}]
' base.json > custom.json

# Scan and re-output
trivy sbom custom.json --format cyclonedx --output result.json

# Properties get unwanted prefixes (wrong)
jq '.metadata.component.properties[] | select(.name | contains("custom"))' result.json
# {"name": "aquasecurity:trivy:custom:environment", "value": "test"}

# Custom components are lost (wrong)
jq '.components[] | select(.name == "custom-app")' result.json
# Empty

Expected Behavior

• Preserve external properties: Keep original names without adding Trivy namespace prefixes
• Maintain custom components: Preserve custom components and custom elements
• Update vulnerabilities only: Add/update vulnerability data while preserving original structure
• Keep Trivy property prefixes: Only Trivy-generated properties should have aquasecurity:trivy: prefixes