Direct dependencies missing if package is used as both direct and transitive dependency

[rogu-beta]

Describe the bug
The dependency graph gathered from load_sbom does not accurately represent what is contained within the SBOM. If a package is both a direct dependency and transitive dependency at the same time, the listing will only show the package as a transitive dependency.

In the example given below, the package pkg:npm/%40angular/animations@18.2.9 is both a dependency to the global dejacode-demo representing the project and the package pkg:npm/@angular/material@18.2.9. This can be seen in the section:

"dependencies": [
        {
            "ref": "pkg:npm/dejacode-demo",
            "dependsOn": [
                "pkg:npm/@angular/animations@18.2.9",
                "pkg:npm/@angular/common@18.2.9",
                "pkg:npm/@angular/compiler@18.2.9",
                "pkg:npm/@angular/core@18.2.9",
                "pkg:npm/@angular/forms@18.2.9",
                "pkg:npm/@angular/material@18.2.9",
                "pkg:npm/@angular/platform-browser-dynamic@18.2.9",
                "pkg:npm/@angular/platform-browser@18.2.9",
                "pkg:npm/@angular/router@18.2.9",
                "pkg:npm/@jsverse/transloco@7.6.1",
                "pkg:npm/@ngrx/effects@18.1.1",
                "pkg:npm/@ngrx/store@18.1.1",
                "pkg:npm/ngx-echarts@19.0.0",
                "pkg:npm/ngx-toastr@17.0.2",
                "pkg:npm/tslib@2.8.1"
            ]
        },

{
            "ref": "pkg:npm/@angular/material@18.2.9",
            "dependsOn": [
                "pkg:npm/@angular/animations@18.2.9",
                "pkg:npm/@angular/cdk@18.2.9",
                "pkg:npm/@angular/common@18.2.9",
                "pkg:npm/@angular/core@18.2.9",
                "pkg:npm/@angular/forms@18.2.9",
                "pkg:npm/@angular/platform-browser@18.2.9",
                "pkg:npm/rxjs@7.8.2",
                "pkg:npm/tslib@2.8.1"
            ]
        },

However, the result in ScanCode.io only shows pkg:npm/@angular/animations@18.2.9 as a dependency of pkg:npm/@angular/material@18.2.9.

System configuration

• ScanCode.io 35.4.0
• Running with custom Helm deployment
• Linux
• Using the following SBOM as input: 2025-10-23-deps-graph-debug-sbom-import.json
• Using load_sbom as pipeline

To Reproduce
Steps to reproduce the behavior:

1. Create a new project in ScanCode.io
2. Upload the SBOM file
3. Select load_sbom as pipeline
4. Run the pipeline
5. Once the job has completed open the dependencies
6. Search for pkg:npm/@angular/animations@18.2.9 and notice that there is only one occurrence in the tree

Expected behavior
The tree should accurately represent all dependency relationships found in the SBOM

Screenshots

[rogu-beta]

Requesting the data available via the API, it seems that direct dependencies are not retained at all. It only stores relations between packages/components in pairs, excluding the root component. The tree seems to be a reconstruction based on the data and thus misses direct dependencies. Representing the full data correctly is required should DejaCode want to properly export the SBOM with the right dependency graph.