Add support for new tools format in CycloneDX 1.5

[mmarseu]

CycloneDX 1.5 has deprecated the .metadata.tools array in favor of an object. See here: https://cyclonedx.org/docs/1.5/json/#tab-pane_metadata_tools_oneOf_i0

Example:

{
    "metadata": {
        "tools": {
            "components": [
                {
                    "type": "application",
                    "author": "anchore",
                    "name": "syft",
                    "version": "1.0.1"
                }
            ]
        }
    }
}

Currently, this tool errors out when faced with an SBOM with such an object:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:\Appl\Python\Scripts\cdx-ev.exe\__main__.py", line 7, in <module>
  File "C:\Appl\Python\Lib\site-packages\cdxev\__main__.py", line 40, in main
    return args.cmd_handler(args)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Appl\Python\Lib\site-packages\cdxev\__main__.py", line 463, in invoke_amend
    write_sbom(sbom, args.output)
  File "C:\Appl\Python\Lib\site-packages\cdxev\auxiliary\output.py", line 36, in write_sbom
    update_tools(sbom)
  File "C:\Appl\Python\Lib\site-packages\cdxev\auxiliary\output.py", line 113, in update_tools
    tools.append(this_tool)
    ^^^^^^^^^^^^
AttributeError: 'dict' object has no attribute 'append'

[mmarseu]

When implementing this, I ran into the gotcha I'd like to discuss in #142. Specifically, here the problem is what to do if the SBOM we're outputting doesn't yet have a .metadata.tools property. Do we create it as an object, as is the state-of-the-art in CycloneDX 1.5 or do we create it as an array, which is now deprecated but used to be the only valid option until 1.5.

Until we set ourselves a clear strategy for dealing with CycloneDX versions, the answer is simple: I'm going to create an array, even if it's deprecated. It is the only way to ensure valid output. This comment is only to document this choice.