sbom_utils.py — Bug fix: check_components_and_dependencies now includes the primary component

The mismatch check between .components[].bom-ref and .dependencies[].ref was incorrectly omitting the top-level SBOM subject (.metadata.component.bom-ref). It now includes it, so a missing dependency entry for the primary component is correctly flagged.

sbom_utils.py — New utility: reconcile_dependency_refs

Added a new function that repairs the .dependencies[] array of a CycloneDX SBOM in two ways:

• Adds a stub {{ {"ref": ..., "dependsOn": []}

  }} entry for any component (including the primary component) that has no corresponding dependency entry.

• Removes dependency entries whose ref has no matching component, and emits a warning listing the orphaned refs.

generate_sbom.py — Apply reconciliation before validation

reconcile_dependency_refs is now called on both the Endor Labs SBOM and the metadata SBOM immediately after they are loaded and pre-processed, before the existing check_components_and_dependencies validation step. Logging before and after the call records the component and dependency counts to aid debugging.

buildscripts/sbom/metadata.cdx.json, sbom.json, sbom.private.json — Updated generated SBOM outputs