fix: address review comments on SBOM dedup check and null-safety

1. CycloneDXSbom.checkIfPackageInsideDependsOnList: the stream result
   was never assigned back to allDirectDeps, so the check always returned
   false. Also changed getName() comparison to use full namespace/name to
   handle scoped packages (e.g. @babel/core).

2. JavaScriptProvider.addDependenciesFromKey: added null check for version
   node before calling asText(), matching the defensive pattern already
   used in addDependenciesOf.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: soul2zimate

src/main/java/io/github/guacsec/trustifyda/providers/JavaScriptProvider.java

@@ -177,8 +177,11 @@ private void addDependenciesFromKey(Sbom sbom, JsonNode depTree, String key) {
     deps.fields()
         .forEachRemaining(
             e -> {
-              var version = e.getValue().get("version").asText();
-              var target = toPurl(e.getKey(), version);
+              JsonNode versionNode = e.getValue().get("version");
+              if (versionNode == null || versionNode.isNull()) {
+                return; // skip entries without a resolved version
+              }
+              var target = toPurl(e.getKey(), versionNode.asText());
               sbom.addDependency(manifest.root, target, null);
               addDependenciesOf(sbom, target, e.getValue());
             });

src/main/java/io/github/guacsec/trustifyda/sbom/CycloneDXSbom.java

@@ -337,18 +337,28 @@ public boolean checkIfPackageInsideDependsOnList(PackageURL component, String na
       List<Dependency> deps = targetComponent.getDependencies();
       List<PackageURL> allDirectDeps = Collections.emptyList();
       if (deps != null) {
-        deps.stream()
-            .map(
-                dep -> {
-                  try {
-                    return new PackageURL(dep.getRef());
-                  } catch (MalformedPackageURLException e) {
-                    throw new RuntimeException(e);
-                  }
-                })
-            .collect(Collectors.toList());
+        allDirectDeps =
+            deps.stream()
+                .map(
+                    dep -> {
+                      try {
+                        return new PackageURL(dep.getRef());
+                      } catch (MalformedPackageURLException e) {
+                        throw new RuntimeException(e);
+                      }
+                    })
+                .collect(Collectors.toList());
       }
-      result = allDirectDeps.stream().anyMatch(dep -> dep.getName().equals(name));
+      result =
+          allDirectDeps.stream()
+              .anyMatch(
+                  dep -> {
+                    var fullName =
+                        dep.getNamespace() != null
+                            ? dep.getNamespace() + "/" + dep.getName()
+                            : dep.getName();
+                    return fullName.equals(name);
+                  });
     }
     return result;
   }