fix(cyclonedx): preserve component group in BOM import to prevent name collisions

[MrButtCode]

This PR addresses issue #2298 where the CycloneDX importer silently discards the group field, leading to name collisions and incorrect component merging during deduplication.

Changes:

• Modified createComponent in CycloneDxBOMImporter.java to prepend the group to the name (e.g., group/name).
• Added a .startsWith() safety guard to ensure the group is not prepended if the name field already contains the group prefix, handling inconsistencies across different SBOM generators.
• Verified via components.thrift that the internal data model currently lacks a dedicated package namespace field, making concatenation the most viable architectural approach.

Testing:

• Verified that backend/common compiles successfully.
• SpdxBOMImporterTest and CycloneDX importer unit tests pass locally.

Migration Considerations:
As noted in my analysis on the issue thread, existing components in a user's database previously imported without groups (e.g., browser) will not automatically merge with new imports containing groups (e.g., @sentry/browser). Users may need to re-import affected SBOMs for clean data.

Related Issue:
Fixes #2298
Detailed architectural analysis can be found in my comment on the issue thread: #2298 (comment)