[FEAT] emit tools as metadata.tools.components #1233
Description
Describe the feature
Own tools (@cyclonedx/cyclonedx-npm and @cyclonedx/cyclonedx-library) are listed under medatada.tools which is deprecated. They should be listed under medatada.tools.components as suggested since CycloneDX v1.5.
To Reproduce
Any generated JSON document contains the same output. I've tried the following command on an npm project:
npx @cyclonedx/cyclonedx-npm --flatten-components --short-PURLs --spec-version 1.6 --output-format JSON --output-file - --omit dev --omit optionalExpected behavior
Entries under metadata.tools should be listed under medatada.tools.components according to the "component" data structure.
Screenshots or output-paste
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"serialNumber": "urn:uuid:5a388864-adb9-4e91-abf1-3331545c6fc0",
"metadata": {
"timestamp": "2024-11-05T12:10:06.815Z",
"tools": [
{
"name": "npm",
"version": "10.9.0"
},
{
"vendor": "@cyclonedx",
"name": "cyclonedx-npm",
"version": "1.19.3",
...
},
{
"vendor": "@cyclonedx",
"name": "cyclonedx-library",
"version": "6.11.0",
...Environment
- @cyclonedx/cyclonedx-npm version: 1.19.3
- NPM version: 10.9.0
- Node version: v23.1.0
- OS: MacOS 14.7 (23H124)
Additional context
This is the part of the code where metadata.tools are being populated:
cyclonedx-node-npm/src/builders.ts
Lines 230 to 238 in 96f1046