Fix Sashiko Issues

[augelu-tng]

This PR addresses issues highlighted by the AI review in
https://sashiko.dev/#/patchset/20260410212255.9883-1-luis.augenstein@tngtech.com

Most changes are Robustness related, i.e., things that didn't cause any failure so far but could so in the future when assumptions change, new functionality is added, or uncommon user inputs are encountered.

Additionally, Sashiko found 3 actual Bugs that caused wrong SBOM outputs.

---

Patch 3 - scripts/sbom: setup sbom logging

• [Robustness] 1848fc4 — Improve logging robustness by accounting for templates that include literal curly brackets.

---

Patch 4 — scripts/sbom: add command parsers

• [Robustness] ed95bb7 — Improve parsing robustness by accounting for redirects of bin2c commands into an output file (< input > output).
• [Robustness] 1f3aa13 — Improve parsing robustness for printf '<some_path>/%s ' | xargs ar commands where trailing s characters of <some_path> would have been removed. Replace incorrect usage of rstrip with removesuffix.
• [Robustness] 28ee708 — Improve parsing robustness by catching IndexError in command parsers in case command invocation assumptions don't hold.
• [Robustness] 85b49f0 — Improve parsing robustness for awk commands when an inline program argument (e.g. '{print $1}') is used.

---

Patch 5 — scripts/sbom: add cmd graph generation

• [Info Log Typo] 4a5089a — Remove a trailing comma inside an f-string interpolation that caused the log message to print a tuple ('filename.txt',) instead of the bare filename string.
• [Robustness] c393b43 — Improve robustness of .cmd file parsing and provide clear error messages where previously a generic IndexError was raised when cmd file structure assumptions didn't hold.
• [Bug] 2a8efdc — Relative paths with symlinks are now properly resolved. Previously the same file could occur multiple times in the sbom if it was referenced both through a symlink path and the canonical path or two different symlink paths. Note: os.path.realpath is still only used when strictly necessary due to its significant performance impact.
• [Robustness] b18d3c6 — Improve deps parsing robustness by relaxing the VALID_PATH_PATTERN regex to also accept characters such as +, ~, =, and @ that can appear in legitimate kernel build paths.
• [Robustness] cbbaae7 — Use proper argparse error handling instead of raising generic exceptions for invalid user-provided arguments.

---

Patch 6 — scripts/sbom: add additional dependency sources for cmd graph

• [Pythonic Syntax] c84a3a2 — Use proper pythonic list constructor in dataclass default_factory instead of a generic type alias.
• [Robustness] f8a1d55 — Improve path resolution robustness for hardcoded dependencies with paths in the source tree.

---

Patch 7 — scripts/sbom: add SPDX classes

• [Robustness] fded697 — Make the to_dict field filter use explicit is None / empty-list checks instead of plain truthiness tests, so that legitimate falsy values such as 0 or False are not silently omitted from the serialized SPDX output.
• [Robustness] 4c89521 — Avoid mutating the caller's SPDX object when constructing the JsonLdDocument by not clearing namespaceMap on the original element, preventing data loss if the graph is reused after serialization.

---

Patch 9 — scripts/sbom: add shared SPDX elements

• [Robustness] 7012e72 — Add an explicit validation step for --roots-file that rejects an empty file early.
• [Bug] fb2ae60 — Use a timezone-aware UTC datetime when recording the SBOM creation timestamp. Previously the local system timezone was used.

---

Patch 10 — scripts/sbom: collect file metadata

• [Robustness] be33b54 — Replace os.path.exists() with os.path.isfile() before computing file hashes, so that directory nodes appearing in .cmd dependency lists are skipped rather than triggering an IsADirectoryError.
• [Robustness] d30d360 — Stream file content in fixed-size chunks when computing SHA-256 and git blob OIDs, reducing memory consumption on large build artifacts such as vmlinux or bzImage.
• [Robustness] 1435e78 — Extend the SPDX-License-Identifier regex to also handle XML comment terminators (-->) in captured license expressions.

---

Patch 13 — scripts/sbom: add SPDX build graph

• [Bug] 9f2f3d4 — Correctly assign external files outside both the source and object tree (e.g. Rust core libraries) to the source SBOM rather than the build SBOM. Previously, external files were incorrectly declared as contained within the object-tree directory via an SPDX contains relationship.

---

Patch 14 — scripts/sbom: add unit tests for command parsers

• [Robustness] ccb005c — Replace direct os.environ assignments in unit tests with unittest.mock.patch.dict so that environment variable changes are automatically restored after each test, eliminating cross-test pollution.

---

Successful Workflow Run https://github.com/TNG/KernelSbom/actions/runs/25318807807

[maxhbr]

LGTM