[Enhancement] Add unit tests for internal/vulnscan: PURL parsing and ApplyToDOM are completely untested

[wiebe-vandendriessche]

Problem or motivation

internal/vulnscan/vulnscan.go implements PURL-based component identification (hfIDFromComponent, datasetIDFromComponent, idFromPURL, datasetIDFromPURL) and ApplyToDOM, which merges new vulnerability scan results into an existing BOM in-place. There is no vulnscan_test.go. The PURL parsing logic is fragile — it slices string prefixes and relies on segment counts — and is not exercised by any existing test. Any regression in these functions would be invisible.

Proposed solution

Add internal/vulnscan/vulnscan_test.go covering:

• idFromPURL: valid model PURLs, PURLs missing the namespace segment, PURLs with @sha suffixes
• datasetIDFromPURL: single-segment and namespaced dataset IDs, @sha suffix stripping, the datasets/ prefix case
• ApplyToDOM: BOM with no existing vulnerabilities (append path), BOM with a matching BOM-ref (replace path), empty results (no-op)
• scanComponents via the treeFetcherIface interface already used internally for injection

Alternatives considered

None — this is a straightforward gap to fill with standard table-driven unit tests.

Additional context

Affected file: internal/vulnscan/vulnscan.go:115-175.