cyclonedx-cli merge Command Produces SBOM with Null Values for Tools

[anubhav-tyagi1]

I am using syft version 1.4.1 to generate SBOM using an image, the generated SBOM have the correct metadata.tools values which can be seen below

"metadata": {
		"timestamp": "2024-05-28T09:21:33Z",
                "tools": {
	                "components": [
		                {
			                "type": "application",
			                "author": "anchore",
			                "name": "syft",
			                "version": "1.4.1"
		                }
	                ]
                },

Now when I execute cyclonedx-cli merge command and use --hierarchical flag with merge to perform a hierarchical merge then the generated SBOM's contains the value of metadata.tools = null. which can be seen below

"metadata": {
    "tools": null,

After doing a bit more analysis it was found that this issue is coming after update to cyclonedx-cli 0.25.0 AND WAS NOT THERE IN 0.24.2

Also it was seen that if we generate SBOM using any other tool such as cyclonedx plugin for gradle, then the issue is not there.

To Replicate the issue:

• Generate SBOM (SBOM-1) using syft (I was using v1.4.1) and an image.
• validate the generated SBOM (SBOM-1) using cyclonedx-cli validate command (the generated SBOM-1 will be validated successfully)
• execute cyclonedx-cli merge --output-file sbom-2.json --output-format json --input-format json --hierarchical --group "group1" --name "name1" --version "1.0" --input-files SBOM-1.json (using cyclonedx-cli 0.25.0)
• validate the generated SBOM (SBOM-2) using cyclonedx-cli validate command (the generated SBOM-2 validation will fail due to value of tools being null)