MergeCommand.cs: use new cyclonedx-dotnet-library features to CleanupMetadataComponent() and CleanupEmptyLists() as a finishing touch, to avoid inducing a spec violation with a duplicate bom-ref

Author: jimklimov

src/cyclonedx/Commands/MergeCommand.cs

@@ -89,7 +89,9 @@ public static async Task<int> Merge(MergeCommandOptions options)
                 }
                 else
                 {
-                    // otherwise use the first non-null component from the input BOMs as the default
+                    // otherwise use the first non-null component from the input
+                    // BOMs as the default; note CleanupMetadataComponent() below
+                    // to ensure that such bom-ref exists in the document only once.
                     foreach (var bom in inputBoms)
                     {
                         if(bom.Metadata != null && bom.Metadata.Component != null)
@@ -101,8 +103,19 @@ public static async Task<int> Merge(MergeCommandOptions options)
                 }
             }
 
+            outputBom = CycloneDXUtils.CleanupMetadataComponent(outputBom);
+            outputBom = CycloneDXUtils.CleanupEmptyLists(outputBom);
+
             outputBom.Version = 1;
             outputBom.SerialNumber = "urn:uuid:" + System.Guid.NewGuid().ToString();
+            if (outputBom.Metadata is null)
+            {
+                outputBom.Metadata = new Metadata();
+            }
+            if (outputBom.Metadata.Timestamp is null)
+            {
+                outputBom.Metadata.Timestamp = DateTime.Now;
+            }
 
             if (!outputToConsole)
             {