bug: improved sbom filename extension handling

[terriko]

Copying from #4820

Adding json extension for cyclonedx is mandatory otherwise if the user provides a filename without any extension, cve-bin-tool will not be able to read it back as lib4sbom will silently fail to parse it: https://github.com/anthonyharrison/lib4sbom/blob/3d52214bf0d84f61d9954fc89c4a3357fa2b8d1d/lib4sbom/cyclonedx/cyclonedx_parser.py#L37

It would have been better to use self.sbom_format but the default value is "tag" and lib4sbom will replace it to "json": https://github.com/anthonyharrison/lib4sbom/blob/3d52214bf0d84f61d9954fc89c4a3357fa2b8d1d/lib4sbom/generator.py#L43

A followup patch could also update cve-bin-tool/lib4sbom to better handle SBOM with no extensions. At the very least, a clear error message shall be displayed. Another option would be to open the file to check if this is a JSON file and then fallback on XML parsing. Indeed, Linux users are not used to set extensions to their files.

I've merged #4820 but @ffontaine is correct that more is probably needed here, so I'm filing this issue with the information.

[terriko]

A note about the hackathon label: I've flagged a bunch of issues for folk participating in the Open Source Ecosyststems Hackathon March 3-7. Please leave these issues to hackathon participants. if they're not claimed after, say, March 10th, they're fair game to other people (including GSoC participants).

[shanscendent]

Intel OSS Hackathon Team 1 will be working on this.

[stvml]

I think at this point, @shanscendent and our hackathon team are confident we aren't going to get changes in for this one! Up for grabs for anyone else who wants to give it a go :)

[Arnavk194]

I'll pick it up if no one else from the hackathon is working on it. I'll wait until March 10th.

[Saksham-Sirohi]

Hi @terriko , PR #4919 enforces CycloneDX SBOM extension checks (.json/.xml) to fix extension handling. Tests now validate error logging for invalid extensions and use existing SBOM files. Ensures compliance and robust error handling.

[Arnavk194]

Hey @terriko and @22f1001635, I saw that a PR has been submitted—really appreciate the effort you put into it!

Just a heads-up, as per the contribution guidelines, I had already mentioned that I was working on this. No worries this time, but let’s keep it in mind going forward so we don’t end up duplicating work.

[Saksham-Sirohi]

Hey, @Arnavk194 i am really sorry for this Actually, I had these solutions nearly complete by the time the maintainer gave it the hackathon tag. I am sorry for not providing the info prior