[FEAT] emit tools as `metadata.tools.components`

[hakandilek]

Describe the feature

Own tools (@cyclonedx/cyclonedx-npm and @cyclonedx/cyclonedx-library) are listed under medatada.tools which is deprecated. They should be listed under medatada.tools.components as suggested since CycloneDX v1.5.

To Reproduce

Any generated JSON document contains the same output. I've tried the following command on an npm project:

npx @cyclonedx/cyclonedx-npm --flatten-components --short-PURLs --spec-version 1.6 --output-format JSON --output-file - --omit dev --omit optional

Expected behavior

Entries under metadata.tools should be listed under medatada.tools.components according to the "component" data structure.

Screenshots or output-paste

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "serialNumber": "urn:uuid:5a388864-adb9-4e91-abf1-3331545c6fc0",
  "metadata": {
    "timestamp": "2024-11-05T12:10:06.815Z",
    "tools": [
      {
        "name": "npm",
        "version": "10.9.0"
      },
      {
        "vendor": "@cyclonedx",
        "name": "cyclonedx-npm",
        "version": "1.19.3",
       ...
      },
      {
        "vendor": "@cyclonedx",
        "name": "cyclonedx-library",
        "version": "6.11.0",
     ...

Environment

• @cyclonedx/cyclonedx-npm version: 1.19.3
• NPM version: 10.9.0
• Node version: v23.1.0
• OS: MacOS 14.7 (23H124)

Additional context

This is the part of the code where metadata.tools are being populated:

https://github.com/CycloneDX/cyclonedx-node-npm/blob/96f1046406005dd7449ef0206ce499aaaaa449f3/src/builders.ts#L230-L238

[jkowalleck]

depends on https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1152

[hakandilek]

depends on https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1152

I've missed that one. You're right. It's probably better to wait on this one and adopt here accordingly.