get_cherry_picks: Enrich SBOM with cherry-picked

[gastmaier]

PR Description

To track patching fixes on top of a stable tag, collect "cherry picked from" from the commit history up to commit tag. Once collected, is added to the SBOM as pedigree.commits for Cyclone and
extension_CdxPropertiesExtension for SPDX. The SPDX looks awkward, but matches the discussion at
spdx/Spdx-Java-Library#302

If the depth is 10000 commits (github limit), don't collect any, since the branch does not match the use case of a few commits on top of a stable commit (not thousands).

Example run : https://github.com/analogdevicesinc/linux/actions/runs/25315468921

The consumer side is even more terrible: analogdevicesinc/linux-security-vulns@137adcf

Spec:

Cherry pick list
~~~~~~~~~~~~~~~~

When it is usefult to contain a list of cherry-picked commits, for example,
to inform fixes commits that were applied on top of the stable tag, it can be
added to the SBOM with the formats below.

Please note that it is the SHA from "cherry picked from commit ..." line in the
commit message, the one that can be traced to the vulnerability db. This lined
is created with ``git cherry-pick -x <sha>``.

.. code-block:: json

   {
     "@context": "https://spdx.org/rdf/3.0.1/spdx-context.jsonld",
     "@graph": [
       {
         "type": "build_Build",
         "extension": [
           {
             "type": "extension_CdxPropertiesExtension",
             "extension_cdxProperty": [
               {
                 "type": "extension_CdxPropertyEntry",
                 "extension_cdxPropName": "git:cherry-pick",
                 "extension_cdxPropValue": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
               },
               {
                 "type": "extension_CdxPropertyEntry",
                 "extension_cdxPropName": "git:cherry-pick",
                 "extension_cdxPropValue": "deadbeef1234deadbeef1234deadbeef1234dead"
               }
             ]
           }
         ]
       }
     ]
   }

(see https://github.com/spdx/Spdx-Java-Library/issues/302)

.. code:: python

   def cherry_picks_from_spdx(data):
       for e in data.get("@graph", []):
           for ext in e.get("extension", []):
               if ext.get("type") == "extension_CdxPropertiesExtension":
                   return [
                       p["extension_cdxPropValue"]
                       for p in ext.get("extension_cdxProperty", [])
                       if p.get("extension_cdxPropName") == "git:cherry-pick"
                       and p.get("extension_cdxPropValue")
                   ]
       return []

.. code-block:: json

   {
     "bomFormat": "CycloneDX",
     "specVersion": "1.6",
     "metadata": {
       "component": {
         "pedigree": {
          "commits": [
            {"uid": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"},
            {"uid": "deadbeef1234deadbeef1234deadbeef1234dead"}
          ]
         }
       }
     }
   }

.. code:: python

   def cherry_picks_from_cdx(data):
       commits = (data.get("metadata", {})
                      .get("component", {})
                      .get("pedigree", {})
                      .get("commits", []))
       return [c["uid"] for c in commits if c.get("uid")]

PR Type

• Bug fix (a change that fixes an issue)
• New feature (a change that adds new functionality)
• Breaking change (a change that affects other repos or cause CIs to fail)

PR Checklist

• I have conducted a self-review of my own code changes
• I have compiled my changes, including the documentation
• I have tested the changes on the relevant hardware
• I have updated the documentation outside this repo accordingly
• I have provided links for the relevant upstream lore