thanhnguyen-mdb has created PR #2622: PYTHON-5433 - Fix Silkbomb issues in mongo-python-driver

Issue Text:
<Unable to render embedded object: File (-- Thanks for contributing) not found. -->
<!-- Please ensure that the title of the PR is in the following form:
[Issue Type]-[Issue Key]: Issue Title

If you are an external contributor and there is no JIRA ticket associated with your change, then use your best judgement
for the PR title. A MongoDB employee will create a JIRA ticket and edit the name and links as appropriate.
-->
PYTHON-5433(https://jira.mongodb.org/browse/PYTHON-5433)

1. 1. Summary
      <!-- What conceptually is this PR introducing? If context is already provided from the JIRA ticket, still place it in the
      Pull Request as you should not make the reviewer do digging for a basic summary. -->
      Switched SBOM generation from cdxgen to cyclonedx-py v7.2.1 to ensure compatibility with our internal Silkbomb validation tool. The issue is that cdxgen generates SBOMs with a `lifecycles` metadata field (part of CycloneDX 1.5 spec) that the Python library used by Silkbomb doesn't support yet (see https://github.com/CycloneDX/cyclonedx-python-lib/issues/578), causing validation failures. cyclonedx-py generates spec-compliant 1.5 SBOMs without this field, ensuring compatibility with both the official CycloneDX CLI validator and Silkbomb's internal validation. Also added CycloneDX CLI validation step to the workflow. Tested successfully with both CycloneDX CLI validation and Silkbomb's update/validate commands.

See sample PR for update changes: https://github.com/thanhnguyen-mdb/mongo-python-driver/pull/11

1. 1. Changes in this PR
      <!-- What changes did you make to the code? What new APIs (public or private) were added, removed, or edited to generate
      the desired outcome explained in the above summary? -->

1. 1. Testing Plan
      <!-- How did you test the code? If you added unit tests, you can say that. If you didn’t introduce unit tests, explain why.
      All code should be tested in some way – so please list what your validation strategy was. -->

Generate new sbom in fork & ran Silkbomb update/validate locally:
Update:
```
4:58:35.006641 [info ] Found existing dependencies [sbom_loader] num_pkgs=2 path=/home/ubuntu/mms/sbom.json
14:58:35.014859 [info ] Updating all components currently in the SBOM [sbom_updater]
14:58:35.015083 [warning ] Preserving internal:manual_update purls [sbom_updater] manual_update=
14:58:35.015160 [info ] querying npm packages [sbom_updater] num_pkgs=0
14:58:35.015448 [info ] querying maven packages [sbom_updater] num_pkgs=0
14:58:35.015630 [info ] querying clearlydefined.io [sbom_updater] num_pkgs=2
14:58:35.197688 [info ] querying api.deps.dev items [sbom_updater] num_pkgs=2
14:58:35.353697 [info ] Checking closest match [api_deps_dev] closest_purl=pkg:pypi/pymongo@4.15.4 purl=pkg:pypi/pymongo@4.16.0.dev0
14:58:35.439742 [info ] Updating SBOM timestamp [cyclonedx] time=2025-11-24T14:58:35.439716+00:00
14:58:35.439952 [info ] Generating new serial number and setting SBOM version to '1' [cyclonedx] serial_number=9fec34d1-f756-4e0d-a797-212fc294338b version=1
14:58:35.441004 [info ] writing sbom to file [sbom_util] path=/home/ubuntu/mms/sbom.cdx.json
```

Validate:
```
14:58:54.939939 [info ] Parsed arguments [args] args=SBOMUtilArgs(purls=None, sbom_in=PosixPath('/home/ubuntu/mms/sbom.json'), sbom_out=None, out=None, library_owners=None, sbom_owner=None, diff=None, print=None, command='validate', project_options=ProjectOptions(project=None, repo=None, branch=None), refresh=False, no_update_timestamp=False, no_update_sbom_version=False, update_options=UpdateOptions(refresh=False, generate_new_serial_number=False, select_licenses=False, update_license_text=False, check_only=False), download_options=DownloadOptions(sbom_type=None, validate_timestamp=None), upload_options=UploadOptions(force=False), lint_options=LintOptions(fail_on=<SBOMValidatorFailOn.ERROR: 'error'>, schema_only=False), validate_options=ValidateOptions(fail_on=<SBOMValidatorFailOn.ERROR: 'error'>, include=['schema', 'lint', 'jira'], exclude=[<ValidationType.JIRA: 'jira'>]))
14:58:55.061728 [info ] Performing SBOM validations [sbom_util] validations=['lint', 'schema']
14:58:55.061974 [info ] Validating SBOM with CycloneDX schema [check] schema_version=1.5
14:58:55.105604 [info ] Linting SBOM [sbom_validator]
```

1. 1. Checklist
      <!-- Do not delete the items provided on this checklist. -->
      1. Checklist for Author

• [ ] Did you update the changelog (if necessary)?
• [ ] Is the intention of the code captured in relevant tests?
• [ ] If there are new TODOs, has a related JIRA ticket been created?

1. 1. 1. Checklist for Reviewer {@primary_reviewer}

• [ ] Does the title of the PR reference a JIRA Ticket?
• [ ] Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
• [ ] Have you checked for spelling & grammar errors?
• [ ] Is all relevant documentation (README or docstring) updated?

1. 1. Focus Areas for Reviewer (optional)
      <!-- List any complex portion of code you believe needs additional scrutiny and explain why. -->