Xml validation failure after merge using cyclonedx-cli

[james-hall1]

when creating SBOMS using cyclonedx in powershell for example

dotnet CycloneDX example.sln ^
--spec-version 1.6 ^
--output-format xml ^
-o .

and then merging using cyclonedx-cli via

& .\cyclonedx-win-x64.exe merge --input-files "example.xml" "example2.xml" "example3.xml"
--output-file "merged.xml" --output-format xml
--output-version v1_6

validating merged.xml with

.\cyclonedx-win-x64.exe validate --input-file .\merged.xml --input-format xml --input-version v1_6 --fail-on-errors

results in the error

Validation failed at line number 12 and position 8: The element 'tools' in namespace 'http://cyclonedx.org/schema/bom/1.6' has invalid child element 'components' in namespace 'http://cyclonedx.org/schema/bom/1.6'. List of possible elements expected: 'tool' in namespace 'http://cyclonedx.org/schema/bom/1.6'.
BOM is not valid.

even though each individual SBOM being merged passes validation.

I believe this is due to the schema 1.6 not being applied properly but just a guess!

note: cyclonedx version 5.5.0, cyclonedx-cli version 0.29.1

Thanks in advance!

[andreas-hilti]

This might have the same root cause as #408.

[andreas-hilti]

@james-hall1 In your input files, do some of them use the legacy "tool" in the metadata, while others use "components" (compare https://cyclonedx.org/docs/1.6/json/#metadata_tools)?

[james-hall1]

@andreas-hilti I believe none of them use legacy tools except within a brief metadata block at the beginning

eg

2025-10-23T13:44:12.1943614Z CycloneDX CycloneDX module for .NET 5.5.0.0

[andreas-hilti]

It is the combination of one <metadata>...<tools><tool>...</tool>...</tools></metadata>
with another <metadata>...<tools><components><component>...</component></components>...</tools></metadata>
which leads to issues. I'm pretty sure it is a duplicate of #408.