[sbom] Upload manifest metadata properties

[rjcoulter22]

🚀 Motivation

Manifest-only SCA scans need to carry version range information and signal that transitive dependency enrichment is required. Today datadog-ci silently drops these properties from the upload payload because only a fixed allow-list of datadog:* properties is recognized.

📚 Documentation

Document	Link or Detail
RFC	N/A
Incident	N/A
Jira Ticket	K9VULN-14786

📝 Summary

• Parse datadog:version-range (string) and datadog:requires-transitive-enrichment (boolean) on SBOM library components in extractingDependency and include them on the uploaded Dependency.
• Extend the Dependency type with version_range and requires_transitive_enrichment fields.
• Remove the long-deprecated osv-scanner:* and datadog-sbom-generator:* property prefixes along with their dual-parse fallback in payload.ts — the SBOM generator only emits datadog:-prefixed properties now. Migrated the test fixtures to canonical names and deleted the dedicated dual-parse test.
  • As you can see using this metric we have not seen the legacy property convention since removal

🧪 Testing

• New tests were added for new logic.
• Existing tests were updated for new logic, and not only so that they pass!
• Benchmark results prove that performance is the same or better.

🚧 Staging validation

• Deployed and monitored using Datadog dashboards.
• Proof that it works as expected, including profiling or UX screenshots.
  • Uploaded SBOM using local build successfully, verified results in staging (repos page, vulns page)
  • Ranged versions are filtered out by our backend - in a follow up support will be added for resolving them

🆘 Recovery

Notes for on-call - select only one:

• The change can be rolled back.
• Do not roll back. Why?:

[datadog-official]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

PR labels | Categorize PR     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

Label error. Requires at least 1 of: datadog-ci, dependencies, documentation, chores, release, code-intelligence, software-delivery, static-analysis, rum, serverless, source-code-integration, synthetics, profiling. Found:

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: d6d6ca7 | Docs | Datadog PR Page | Give us feedback!}

[rjcoulter22]

@codex review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[anderruiz]

LGTM