[K9VULN-14776] Emit manifest metadata for range resolution

[rjcoulter22]

Motivation

Manifest-only scans need enough metadata for downstream SCA enrichment: ranged dependencies should keep their declared range, and manifest-only dependencies should be marked for transitive enrichment.

Documentation

Document	Link or Detail
RFC	Resolving version ranges for SCA
Incident	N/A
Jira Ticket	K9VULN-14776

Summary

Adds manifest dependency metadata for lockfile-less scans.

• Preserves pyproject exact pins as Version.
• Preserves PEP 508 and Poetry ranges as VersionRange, including wildcard ranges like 1.*.
• Emits datadog:version-range only for ranged manifest dependencies in pytproject.toml files (package.json handled here)
• Emits datadog:requires-transitive-enrichment=true for emitted pyproject and package.json manifest dependencies.
• Allows ranged pyproject dependencies to emit with an empty CycloneDX version and unversioned PyPI PURL.

Testing

• New tests were added for new logic.
• Existing tests were updated for new logic, and not only so that they pass!
• Benchmark results prove that performance is the same or better.
  • Generated SBOM for rjcoulter22/sample-uv-service-v3/tree/main and checked results to verify correctness

Recovery

Notes for on-call - select only one:

• The change can be rolled back.
• Do not roll back. Why?:

[datadog-datadog-prod-us1]

🎯 Code Coverage (details)
• Patch Coverage: 79.56%
• Overall Coverage: 85.30% (-0.05%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0aa1016 | Docs | Datadog PR Page | Give us feedback!}