Description:

Improves the automated SBOM generation pipeline across generate_sbom.py, sbom_utils.py, and sbom_linter.py.

generate_sbom.py

• Fix codeowner fallback bug: a spurious continue in the except KeyError block prevented the raw codeowner name from being written to the internal:team_responsible property when a Jira mapping was absent.
• Deduplicate Endor Labs components: components that Endor lists as first-party sub-packages in .metadata.component.components[] are skipped when processing unmatched .components[] entries, preventing duplicates in the final SBOM.
• Merge Endor Labs .dependencies[] into the final SBOM after all components are finalized. If a ref already has a dependency entry (from metadata.cdx.json), the dependsOn sets are compared; a warning is raised on collision and Endor's data takes priority.
• sbom.json and sbom.private.json now track serialNumber, version, and metadata.timestamp independently. The public SBOM's values only update when public-facing components change, preventing spurious diffs caused by private-only component changes.
• Apply configurable SPDX license identifier replacements (defined in config.py) to licenses[].expression and licenses[].license.id before writing output.

sbom_utils.py

• Add pkg:cargo and pkg:maven regex patterns to REGEX_PURL.
• convert_sbom_to_public: additionally exclude components with the property internal:private=true.
• convert_sbom_to_public: after removing internal components, prune any remaining orphaned dependencies[] entries whose ref or dependsOn values are not present in the final public component set.

sbom_linter.py

• Remove the version mismatch check along with its supporting helpers (VERSION_MISMATCH_ERROR, strip_extra_prefixes, comp_pedigree_version block).
• Formatting check now accepts a file with zero or one trailing newline; two or more trailing newlines still fails.

buildscripts/OWNERS.yml, .github/CODEOWNERS

• Add 10gen/code-review-team-ssdlc as approver/owner of buildscripts/sbom_linter.py.