@@ -178,6 +178,27 @@ def get_components(bom):
178178 return list (bom ._get_all_components ())
179179
180180
181+ def delete_tools (cyclonedx_document_json ):
182+ """
183+ Remove the ``tools`` section, if defined, from the SBOM as it can
184+ be in the way of loading a SBOM that is valid regarding the spec, but fails the
185+ deserialization.
186+
187+ The ``metadata.tools`` as an array was deprecated in 1.5 and replaced by an
188+ object structure where you can define a list of ``components`` and ``services``.
189+
190+ The new structure is not yet supported by the cyclonedx-python-lib, neither for
191+ serialization (output) nor deserialization (input).
192+
193+ The tools are not used anyway in the context of loading the SBOM component data as
194+ packages.
195+ """
196+ if "tools" in cyclonedx_document_json .get ("metadata" , {}):
197+ del cyclonedx_document_json ["metadata" ]["tools" ]
198+
199+ return cyclonedx_document_json
200+
201+
181202def resolve_cyclonedx_packages (input_location ):
182203 """Resolve the packages from the `input_location` CycloneDX document file."""
183204 input_path = Path (input_location )
@@ -194,6 +215,7 @@ def resolve_cyclonedx_packages(input_location):
194215 f'CycloneDX document "{ input_path .name } \n { errors }
195216 )
196217 raise ValueError (error_msg )
218+ cyclonedx_document = delete_tools (cyclonedx_document )
197219 cyclonedx_bom = Bom .from_json (data = cyclonedx_document )
198220
199221 else :
0 commit comments