fix: add json extension when building cyclonedx SBOM (intel#4820)

Adding json extension for cyclonedx is mandatory otherwise if the user
provides a filename without any extension, cve-bin-tool will not be able
to read it back as lib4sbom will silently fail to parse it:
https://github.com/anthonyharrison/lib4sbom/blob/3d52214bf0d84f61d9954fc89c4a3357fa2b8d1d/lib4sbom/cyclonedx/cyclonedx_parser.py#L37

It would have been better to use self.sbom_format but the default value
is "tag" and lib4sbom will replace it to "json":
https://github.com/anthonyharrison/lib4sbom/blob/3d52214bf0d84f61d9954fc89c4a3357fa2b8d1d/lib4sbom/generator.py#L43

A followup patch could also update cve-bin-tool/lib4sbom to better
handle SBOM with no extensions. At the very least, a clear error message
shall be displayed. Another option would be to open the file to check if
this is a JSON file and then fallback on XML parsing. Indeed, Linux
users are not used to set extensions to their files.

Signed-off-by: Fabrice Fontaine <[email protected]>

Author: ffontaine

cve_bin_tool/output_engine/__init__.py

@@ -808,6 +808,9 @@ def output_cves(self, outfile, output_type="console"):
             )
             vexgen.generate_vex()
         if self.sbom_filename != "":
+            # cyclonedx doesn't support tag or yaml and lib4sbom won't read back the file if it doesn't end with json
+            if self.sbom_type == "cyclonedx":
+                self.sbom_filename = add_extension_if_not(self.sbom_filename, "json")
             sbomgen = SBOMGenerate(
                 self.all_product_data,
                 self.sbom_filename,