PYTHON-5433 - Fix Silkbomb issues

[thanhnguyen-mdb]

PYTHON-5433

Summary

Switched SBOM generation from cdxgen to cyclonedx-py v7.2.1 to ensure compatibility with our internal Silkbomb validation tool. The issue is that cdxgen generates SBOMs with a lifecycles metadata field (part of CycloneDX 1.5 spec) that the Python library used by Silkbomb doesn't support yet (see CycloneDX/cyclonedx-python-lib#578), causing validation failures. cyclonedx-py generates spec-compliant 1.5 SBOMs without this field, ensuring compatibility with both the official CycloneDX CLI validator and Silkbomb's internal validation. Also added CycloneDX CLI validation step to the workflow. Tested successfully with both CycloneDX CLI validation and Silkbomb's update/validate commands.

See sample PR for update changes: thanhnguyen-mdb#11

Changes in this PR

Testing Plan

Generate new sbom in fork & ran Silkbomb update/validate locally:
Update:

4:58:35.006641 [info     ] Found existing dependencies    [sbom_loader] num_pkgs=2 path=/home/ubuntu/mms/sbom.json
14:58:35.014859 [info     ] Updating all components currently in the SBOM [sbom_updater]
14:58:35.015083 [warning  ] Preserving internal:manual_update purls [sbom_updater] manual_update=
14:58:35.015160 [info     ] querying npm packages          [sbom_updater] num_pkgs=0
14:58:35.015448 [info     ] querying maven packages        [sbom_updater] num_pkgs=0
14:58:35.015630 [info     ] querying clearlydefined.io     [sbom_updater] num_pkgs=2
14:58:35.197688 [info     ] querying api.deps.dev items    [sbom_updater] num_pkgs=2
14:58:35.353697 [info     ] Checking closest match         [api_deps_dev] closest_purl=pkg:pypi/pymongo@4.15.4 purl=pkg:pypi/pymongo@4.16.0.dev0
14:58:35.439742 [info     ] Updating SBOM timestamp        [cyclonedx] time=2025-11-24T14:58:35.439716+00:00
14:58:35.439952 [info     ] Generating new serial number and setting SBOM version to '1' [cyclonedx] serial_number=9fec34d1-f756-4e0d-a797-212fc294338b version=1
14:58:35.441004 [info     ] writing sbom to file           [sbom_util] path=/home/ubuntu/mms/sbom.cdx.json

Validate:

14:58:54.939939 [info     ] Parsed arguments               [args] args=SBOMUtilArgs(purls=None, sbom_in=PosixPath('/home/ubuntu/mms/sbom.json'), sbom_out=None, out=None, library_owners=None, sbom_owner=None, diff=None, print=None, command='validate', project_options=ProjectOptions(project=None, repo=None, branch=None), refresh=False, no_update_timestamp=False, no_update_sbom_version=False, update_options=UpdateOptions(refresh=False, generate_new_serial_number=False, select_licenses=False, update_license_text=False, check_only=False), download_options=DownloadOptions(sbom_type=None, validate_timestamp=None), upload_options=UploadOptions(force=False), lint_options=LintOptions(fail_on=<SBOMValidatorFailOn.ERROR: 'error'>, schema_only=False), validate_options=ValidateOptions(fail_on=<SBOMValidatorFailOn.ERROR: 'error'>, include=['schema', 'lint', 'jira'], exclude=[<ValidationType.JIRA: 'jira'>]))
14:58:55.061728 [info     ] Performing SBOM validations    [sbom_util] validations=['lint', 'schema']
14:58:55.061974 [info     ] Validating SBOM with CycloneDX schema [check] schema_version=1.5
14:58:55.105604 [info     ] Linting SBOM                   [sbom_validator]

Checklist

Checklist for Author

• Did you update the changelog (if necessary)?
• Is the intention of the code captured in relevant tests?
• If there are new TODOs, has a related JIRA ticket been created?

Checklist for Reviewer {@primary_reviewer}

• Does the title of the PR reference a JIRA Ticket?
• Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
• Have you checked for spelling & grammar errors?
• Is all relevant documentation (README or docstring) updated?

Focus Areas for Reviewer (optional)

[blink1073]

LGTM, thanks!