1.5 deprecate tools

[mr-zepol]

This PR has changed for the deprecation of tools, I had to introduce different Deserializers to make it work correctly since I had to deserialize the Metadata to make sure only the right info was loaded based on the schema definition.

Tools still have precedence over components/services if it's present.

[sonatype-lift]

🛠 Lift Auto-fix

Some of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.¹

# Download the patch
curl https://lift.sonatype.com/api/patch/github.com/CycloneDX/cyclonedx-core-java/316.diff -o lift-autofixes.diff

# Apply the patch with git
git apply lift-autofixes.diff

# Review the changes
git diff

Want it all in a single command? Open a terminal in your project's directory and copy and paste the following command:

curl https://lift.sonatype.com/api/patch/github.com/CycloneDX/cyclonedx-core-java/316.diff | git apply

Once you're satisfied, commit and push your changes in your project.

Footnotes

1. You can preview the patch by opening the patch URL in the browser. ↩

[sschuberth]

For the record, the deprecation of the Tool class is a bit of a problem for code that wants / needs to write out spec 1.4 compliant SBOMs without using any non-deprecated code (e.g. due to project policies). Is there a way around that?

[stevespringett]

@sschuberth Java doesn't distinguish between specification vs implementation deprecation. A field/method is either deprecated or its not. In the case of the specification, the use of tools is deprecated and will be removed in CycloneDX v2.0, therefore we've deprecated the implementation supporting it.

You may want to experiment, but it may be possible to write out 1.4 BOMs via reflection, rather than calling the methods directly. This may work around the deprecation warnings, but I'm not entirely sure.