fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata

[DmitriyLewen]

Description

This PR fixes a panic that occurs when processing SBOM files that don't have a root component. The issue was in the CycloneDX marshaler where it would attempt to marshal a nil metadata.component without proper validation.

Related issues

• Close bug(cyclonedx): Trivy panics when scanning an SBOM in CycloneDX format if the file has an empty metadata component. #9561

Related PRs

• feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates #9439

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).