gh-112844: Add SBOM for external dependencies

[sethmlarson]

This PR adds an SBOM and tooling for dependencies specified in get_externals.bat for Windows builds. This SBOM will be picked up by release-tools to generated SBOMs for Windows artifacts.

One question I had was whether we should handle our "patched" versions of dependencies, and if so if there was any known way for this tool to detect that (short of tracking it ourselves).

• Issue: Add Software Bill-of-Materials for Windows source dependencies #112844

[zooba]

One question I had was whether we should handle our "patched" versions of dependencies

Probably, though in practice we don't patch anything. The only patch I'm aware of right now is to make OpenSSL look in our _ssl module for its embedded table rather than in python.exe, which should have no security impact. That patch happens automatically at build time.

and if so if there was any known way for this tool to detect that (short of tracking it ourselves).

Not really. We do a copy from source releases into our repo, so there's no tracking history back upstream, and while we should import and patch in separate commits, that doesn't really do it robustly.

But we're not carrying any patches here right now, so it's a moot point. And I think you got all the ones that live in the main repo already (if any)?

[zooba]

LGTM

[hugovk]

@sethmlarson Ready to merge this?

[sethmlarson]

@hugovk Ready to merge!

[miss-islington-app]

Thanks @sethmlarson for the PR, and @hugovk for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

[bedevere-app]

GH-116128 is a backport of this pull request to the 3.12 branch.