[PATCH] build: add explicit timezone in CycloneDX SBOM

[Roman Azarenko]

Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains
the date/time when the BOM was created [1].

Before the change, the value generated by the package-metadata.pl
script would look like this:

	2024-06-03T15:51:10

CycloneDX 1.4 relies on the JSON Schema specification version draft-07,
which defines the `date-time` format [2] as derived from RFC 3339,
section 5.6 [3]. In this format, the `time-offset` component is required,
however in the original version of package-metadata.pl it is omitted.

This is causing problems with OWASP Dependency-Track version 4.11.0 or
newer, where it now validates submitted SBOMs against the JSON schema
by default [4]. SBOMs with incorrect timestamp values are rejected with
the following error:

	{
	    "detail": "Schema validation failed",
	    "errors": [
	        "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time"
	    ],
	    "status": 400,
	    "title": "The uploaded BOM is invalid"
	}

Add explicit `Z` (UTC) timezone offset in the `timestamp` field
to satisfy the CycloneDX schema.

[1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121
[2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1
[3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
[4]: https://github.com/DependencyTrack/dependency-track/pull/3522

Signed-off-by: Roman Azarenko <roman.azarenko at iopsys.eu>
---
 scripts/package-metadata.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/package-metadata.pl b/scripts/package-metadata.pl
index 1e47052ba028..82bd4360f3bb 100755
--- a/scripts/package-metadata.pl
+++ b/scripts/package-metadata.pl
@@ -655,7 +655,7 @@ sub dump_cyclonedxsbom_json {
 		serialNumber => "urn:uuid:$uuid",
 		version => 1,
 		metadata => {
-			timestamp => gmtime->datetime,
+			timestamp => gmtime->datetime . 'Z',
 		},
 		"components" => [@components],
 	};
-- 
2.45.1