Invalid BOM generated when adding more than 1 tool, only for XML format

[jgraglia]

Hi,

I have a problem when writing a BOM with 2+ tools, only in XML format. The xml is wrote but it is not valid : a <tools> element appears for each <tool>

The generated file looks like

<bom version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
  <metadata>
    <timestamp>2024-09-01T08:41:47Z</timestamp>
    <tools>
      <tool>
        <vendor>corp A</vendor>
        <name>tool A</name>
        <version>1-A</version>
      </tool>
    </tools>
    <tools>   <!-- pb here -->
      <tool>
        <vendor>corp B</vendor>
        <name>tool B</name>
        <version>1-B</version>
      </tool>
    </tools>
    <tools>   <!-- pb here -->
      <tool>
        <vendor>corp C</vendor>
        <name>tool C</name>
        <version>1-C</version>
      </tool>
    </tools>
  </metadata>
</bom>

This problem does not appears when serializing as json. I notice that the tools section is deprecated and that there are some jackson annotations (ref) to handle a transition from metadata > tools to metadata > components|services

The problem is present with versions 1.5 and 1.6

I have setup a minimal testcase to reproduce the problem : https://github.com/netceler/cyclonedx-core-java/commit/458cbec42304255fec845758e87608442fc43546

• should_write_a_single_tool_in_xml_format is ok
• should_write_many_tools_with_json_format is also ok
• testIssuesWhenSerializingMultiplesToolsInXmlFormat fails

I originally found the bug with version 9.0.5 but it is also active with 9.0.6-SNAPSHOT

[jgraglia]

I think it's more a Jackson configuration issue with the @JacksonXmlElementWrapper and @JacksonXmlProperty annotations on tools, in Metadata class... Each tool item is serialized with it's own tools wrapper element. :thinking:

[nscuro]

Fixed by #568