Assemble must support array of metadata tools

CycloneDx assemble fail when a 1.6 schemaVersion is used including an object for tools in place of deprecated array:

sbomasm assemble -n app -v 1.0.0 -t application -o /var/tmp/final-product.cdx.json /var/tmp/base-image-cdx.json ./target/bom.json
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x85b87c]

goroutine 1 [running]:
github.com/interlynk-io/sbomasm/pkg/assemble/cdx.buildToolList({0xc000285b20, 0x2, 0x2?})
        github.com/interlynk-io/sbomasm@v0.1.9/pkg/assemble/cdx/util.go:215 +0x45c
github.com/interlynk-io/sbomasm/pkg/assemble/cdx.(*merge).combinedMerge(0xc0004d7b98)
        github.com/interlynk-io/sbomasm@v0.1.9/pkg/assemble/cdx/merge.go:78 +0x445
github.com/interlynk-io/sbomasm/pkg/assemble/cdx.Merge(0xc00017e180)
        github.com/interlynk-io/sbomasm@v0.1.9/pkg/assemble/cdx/interface.go:143 +0x1a9
github.com/interlynk-io/sbomasm/pkg/assemble.(*combiner).combine(0xc0004d7c30)
        github.com/interlynk-io/sbomasm@v0.1.9/pkg/assemble/combiner.go:45 +0xb7
github.com/interlynk-io/sbomasm/pkg/assemble.Assemble(0xc00017f800)
        github.com/interlynk-io/sbomasm@v0.1.9/pkg/assemble/interface.go:69 +0x47
github.com/interlynk-io/sbomasm/cmd.init.func1(0x1099720, {0xc00020e6e0, 0x2, 0xa})
        github.com/interlynk-io/sbomasm@v0.1.9/cmd/assemble.go:69 +0x1c8
github.com/spf13/cobra.(*Command).execute(0x1099720, {0xc00020e5a0, 0xa, 0xa})
        github.com/spf13/cobra@v1.8.1/command.go:985 +0xaaa
github.com/spf13/cobra.(*Command).ExecuteC(0x109a2a0)
        github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/cobra@v1.8.1/command.go:1041
github.com/interlynk-io/sbomasm/cmd.Execute()
        github.com/interlynk-io/sbomasm@v0.1.9/cmd/root.go:47 +0x1f
main.main()
        github.com/interlynk-io/sbomasm@v0.1.9/main.go:21 +0xf

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.6",
  "serialNumber" : "urn:uuid:823ae467-74a6-3333-afea-77fb6df1c1aa",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-11-22T14:08:27Z",
    "lifecycles" : [
      {
        "phase" : "build"
      }
    ],
    "tools" : {
      "components" : [
        {
          "type" : "library",
          "author" : "OWASP Foundation",
          "group" : "org.cyclonedx",
          "name" : "cyclonedx-maven-plugin",
          "version" : "2.9.0",
          "description" : "CycloneDX Maven plugin",
          "hashes" : [
            {
              "alg" : "MD5",
              "content" : "dfaeab7ec837ce07874e2ee66fdc57d3"
            },
            {
              "alg" : "SHA-1",
              "content" : "8bab47bafc8183d0a5f37790ff55ed05ead1ae2d"
            },
            {
              "alg" : "SHA-256",
              "content" : "67117e03eae4a03ca8bab3add044995f4899aa21798a2510b8265ef8101e90ac"
            },
            {
              "alg" : "SHA-512",
              "content" : "ae6b706516bb76da806b7854aef9e348fa593f5159ae9d693ad38942165c0ebc0846d977a477f6029612d43468fd2cd73a5aa253c228a94fb8d184e0acefc3d2"
            },
            {
              "alg" : "SHA-384",
              "content" : "ee872354d8b0dcd6f9835a913b3aaba70d9365a46043be78020183282a1e9fca812e969246cbe31d642541591b46648b"
            },
            {
              "alg" : "SHA3-384",
              "content" : "e5167f9e7ceba3b7b4d1900c404543907868745334bedc69cdf79c271727148413033a3b1426b733b7549e612e44adee"
            },
            {
              "alg" : "SHA3-256",
              "content" : "41fc0bc2275f354e2c7da01041ce73ce677364799cba53920a180aa5d4571c63"
            },
            {
              "alg" : "SHA3-512",
              "content" : "ed7f97900b09b818dbc0b8a23c00a2843e1bc34e2e8eb5b6df52533af0a15b721de6f7d5c2fd9352b8d4fde768e080053b40a16f0f9f04c336fe9b44abe83fc0"
            }
          ]
        }
      ]
    },
...

Spec ref: https://cyclonedx.org/docs/1.6/json/#metadata_tools

interlynk-io / sbomasm

Assemble must support array of metadata tools #116