Support new tool metadata format in the merge syft sbom script

[brunoapimentel]

CycloneDX 1.5 changes the way to define tools in the metadata section, and marks the 1.4 way as deprecated.

Syft has adopted the newer format starting from version 0.99.0. This makes the 'merge_syft_sbom.py' script to fail in case a newer Syft SBOM is used.

This patch updates the script so both formats can be handled.

CycloneDX 1.4:

{
   "metadata": {
      "tools": [
          {
             "vendor": "red hat",
             "name": "cachi2"
          }
      ]
   }
}

CycloneDX 1.5:

{
   "metadata": {
      "tools": {
        "components": [
            {
               "type": "application",
               "author": "red hat",
               "name": "cachi2"
            }
        ]
    }
}

Maintainers will complete the following section

• Commit messages are descriptive enough
• Code coverage from testing does not decrease and new code is covered
• [n/a] Docs updated (if applicable)
• [n/a] Docs links in the code are still valid (if docs were updated)

[ben-alkov]

Clever. Will this end up being tech debt?

[brunoapimentel]

Yeah... the kind that might never be paid out. We won't likely change anything about the 'tools' content until (if) we get to the point we're actually adding Cachi2's version number to it. Then this needs to be changed.

On the other hand, the reason I took the simple approach was because I was hoping we could have this fixed ASAP to unblock users from using Yarn in Konflux, but we found a simpler way to fix it. So I can actually go back and implement this the right way.

[brunoapimentel]

I introduced a slightly improved version of this patch in #448. It does not hard-code the data the merge script inserts into .metadata.tools of the Syft SBOM, but instead relies on the fact that Cachi2 will be producing CycloneDX 1.5 with the updated .metadata.tools format.

I think we can close this PR and use only #448 instead.

[brunoapimentel]

Closing this in favor of #448