chore: extract glob for pyupgrade to separate script for cross-platform compatibility (#950)

Currently pyupgrade cannot be run on Windows due to 'sh' in tox.ini not
working in PowerShell.

Adding a separate script for this might be controversial. \
I could not find another solution that is platform independent, except
from inline python in tox.ini which got "complicated" due to
`{posargs}`. However, if anyone has a better idea, this could be
reworked.

### AI Tool Disclosure

- [X] My contribution includes AI-generated content, as disclosed below:
- The contents of the new script is based on suggestions from Claude
Sonnet 4.6

### Affirmation

- [X] My code follows the
[CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md)
guidelines

---------

Signed-off-by: Peter Schuster <p.schuster@pilz.de>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: peschuster

tools/run_pyupgrade.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+import subprocess  # nosec - subprocess is used to run pyupgrade and not part of published library
+import sys
+from pathlib import Path
+
+HELP = f"""
+Wrapper around pyupgrade to perform a lookup of all *.py/*.pyi files in passed directories
+and pass them to pyupgrade in a single invocation.
+
+Usage: {sys.argv[0]} [pyupgrade-args ...] -- <dir ...>
+"""
+
+if '--' not in sys.argv:
+    print(HELP, file=sys.stderr)
+    sys.exit(1)
+
+sep = sys.argv.index('--')
+pyupgrade_args = sys.argv[1:sep]
+directories = sys.argv[sep + 1:]
+
+if not directories:
+    print('Error: at least one directory must be specified after --', '\n', HELP, file=sys.stderr)
+    sys.exit(2)
+
+files = sorted({
+    str(file)
+    for directory in directories
+    for pattern in ['*.py', '*.pyi']
+    for file in Path(directory).rglob(pattern)
+})
+
+result = subprocess.run(  # nosec - shell=False is used to prevent injection, all arg passed as a list
+    [sys.executable, '-m', 'pyupgrade', *pyupgrade_args, *files],
+    shell=False  # w/o shell all args are passed directly to the process without the need for quotes or escaping
+)
+sys.exit(result.returncode)

tox.ini

@@ -52,10 +52,8 @@ commands =
     poetry run deptry -v .
 
 [testenv:pyupgrade]
-allowlist_externals = poetry, sh
-commands = sh -c "\
-    find cyclonedx typings tests tools examples -type f \( -name '*.py' -or -name '*.pyi' \) -print0 \
-    | xargs -0 poetry run pyupgrade --py39-plus {posargs} "
+# first -- stops command parsing by poetry run, the second -- splits pyupgrade args from args for glob patterns
+commands = poetry run -- python tools/run_pyupgrade.py --py39-plus {posargs} -- cyclonedx typings tests tools examples
 
 [testenv:isort]
 commands = poetry run isort .