Incorporate format API changes from syft (#1582)

* incorporate changes from anchore/syft#2228

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix testing utils to use syft SBOM

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

go.mod

@@ -13,8 +13,8 @@ require (
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
 	github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501
-	github.com/anchore/stereoscope v0.0.0-20230925132944-bf05af58eb44
-	github.com/anchore/syft v0.94.0
+	github.com/anchore/stereoscope v0.0.0-20231027135531-5909e353ee88
+	github.com/anchore/syft v0.94.1-0.20231030161204-1aaa6440073d
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/bmatcuk/doublestar/v2 v2.0.4
 	github.com/charmbracelet/bubbletea v0.24.2
@@ -61,20 +61,20 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.110.2 // indirect
-	cloud.google.com/go/compute v1.20.1 // indirect
+	cloud.google.com/go v0.110.4 // indirect
+	cloud.google.com/go/compute v1.21.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.0 // indirect
-	cloud.google.com/go/storage v1.29.0 // indirect
+	cloud.google.com/go/iam v1.1.1 // indirect
+	cloud.google.com/go/storage v1.30.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
-	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
 	github.com/DataDog/zstd v1.4.5 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.10.0-rc.7 // indirect
+	github.com/Microsoft/hcsshim v0.11.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/acobaugh/osrelease v0.1.0 // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
@@ -88,18 +88,19 @@ require (
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/becheran/wildmatch-go v1.0.0 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
 	github.com/charmbracelet/bubbles v0.16.1 // indirect
 	github.com/charmbracelet/harmonica v0.2.0 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
-	github.com/containerd/containerd v1.7.0 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/containerd v1.7.8 // indirect
+	github.com/containerd/continuity v0.4.2 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/containerd/ttrpc v1.2.1 // indirect
-	github.com/containerd/typeurl/v2 v2.1.0 // indirect
+	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
@@ -121,7 +122,7 @@ require (
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
-	github.com/go-git/go-git/v5 v5.9.0 // indirect
+	github.com/go-git/go-git/v5 v5.10.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
@@ -228,7 +229,7 @@ require (
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
@@ -238,10 +239,10 @@ require (
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/api v0.128.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
-	google.golang.org/grpc v1.56.3 // indirect
+	google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/grpc v1.58.3 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect

go.sum

@@ -33,8 +33,8 @@ cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w9
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
 cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
 cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA=
-cloud.google.com/go v0.110.2 h1:sdFPBr6xG9/wkBbfhmUz/JmZC7X6LavQgcrVINrKiVA=
-cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw=
+cloud.google.com/go v0.110.4 h1:1JYyxKMN9hd5dR2MYTPWkGUgcoxVVhg0LKNKEo0qvmk=
+cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
 cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw=
 cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY=
 cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI=
@@ -71,8 +71,8 @@ cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz
 cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
 cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
 cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
-cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
-cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute v1.21.0 h1:JNBsyXVoOoNJtTQcnEY5uYpZIbeCTYIeDe0Xh1bySMk=
+cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
@@ -113,8 +113,8 @@ cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y97
 cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
 cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
 cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc=
-cloud.google.com/go/iam v1.1.0 h1:67gSqaPukx7O8WLLHMa0PNs3EBGd2eE4d+psbO/CO94=
-cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk=
+cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y=
+cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
 cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
 cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
 cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8=
@@ -176,8 +176,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f
 cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
 cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
 cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
-cloud.google.com/go/storage v1.29.0 h1:6weCgzRvMg7lzuUurI4697AqIRPU1SvzHhynwpW31jI=
-cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
+cloud.google.com/go/storage v1.30.1 h1:uOdMxAs8HExqBlnLtnQyP0YkvbiDpdGShGKtx6U/oNM=
+cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E=
 cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw=
 cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g=
 cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU=
@@ -192,10 +192,10 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 h1:+vTEFqeoeur6XSq06bs+roX3YiT49gUniJK7Zky7Xjg=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
+github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -219,8 +219,8 @@ github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBa
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/Microsoft/hcsshim v0.10.0-rc.7 h1:HBytQPxcv8Oy4244zbQbe6hnOnx544eL5QPUqhJldz8=
-github.com/Microsoft/hcsshim v0.10.0-rc.7/go.mod h1:ILuwjA+kNW+MrN/w5un7n3mTqkwsFu4Bp05/okFUZlE=
+github.com/Microsoft/hcsshim v0.11.1 h1:hJ3s7GbWlGK4YVV92sO88BQSyF4ZLVy7/awqOlPxFbA=
+github.com/Microsoft/hcsshim v0.11.1/go.mod h1:nFJmaO4Zr5Y7eADdFOpYswDDlNVbvcIJJNJLECr5JQg=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
 github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
@@ -254,10 +254,10 @@ github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 h1:AV7qjwMcM4r8wFhJq3jLRztew3ywIyPTRapl2T1s9o8=
 github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
-github.com/anchore/stereoscope v0.0.0-20230925132944-bf05af58eb44 h1:dKMvcpgqsRrX1ZWyqG53faVW+BahlaAO1RUEc7/rOjA=
-github.com/anchore/stereoscope v0.0.0-20230925132944-bf05af58eb44/go.mod h1:RtbeDCho0pxkPqrB1QNf/Jlxfc9juLmtYZAf2UbpJfk=
-github.com/anchore/syft v0.94.0 h1:bQKGqSjW1eaOU5nz/lIfmE7N3ePfSQr2PKSlx9Sts4k=
-github.com/anchore/syft v0.94.0/go.mod h1:3P7bisGb54g2qJ7VA4jcmMnxJEnSwypr6hyNsoida7g=
+github.com/anchore/stereoscope v0.0.0-20231027135531-5909e353ee88 h1:2fQngWFSfBIUWuMGo6qy+jVTyrMNuY+eL5IkE36oTJo=
+github.com/anchore/stereoscope v0.0.0-20231027135531-5909e353ee88/go.mod h1:GKAnytSVV1hoqB5r5Gd9M5Ph3Rzqq0zPdEJesewjC2w=
+github.com/anchore/syft v0.94.1-0.20231030161204-1aaa6440073d h1:UdTzILP82RNe1njm9ikqh9Cbeh+Io/y8Bk1kD1Ud7W8=
+github.com/anchore/syft v0.94.1-0.20231030161204-1aaa6440073d/go.mod h1:WwGbgcx1MEG8qfjsT0hVOALvbSYawfEjqrq4/vXev38=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
@@ -293,8 +293,8 @@ github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bmatcuk/doublestar/v2 v2.0.4 h1:6I6oUiT/sU27eE2OFcWqBhL1SwjyvQuOssxT4a1yidI=
 github.com/bmatcuk/doublestar/v2 v2.0.4/go.mod h1:QMmcs3H2AUQICWhfzLXz+IYln8lRQmTZRptLie8RgRw=
-github.com/bmatcuk/doublestar/v4 v4.6.0 h1:HTuxyug8GyFbRkrffIpzNCSK4luc0TY3wzXvzIZhEXc=
-github.com/bmatcuk/doublestar/v4 v4.6.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
+github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
@@ -337,18 +337,20 @@ github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHq
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
 github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 h1:q2hJAaP1k2wIvVRd/hEHD7lacgqrCPS+k8g1MndzfWY=
 github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
-github.com/containerd/containerd v1.7.0 h1:G/ZQr3gMZs6ZT0qPUZ15znx5QSdQdASW11nXTLTM2Pg=
-github.com/containerd/containerd v1.7.0/go.mod h1:QfR7Efgb/6X2BDpTPJRvPTYDE9rsF0FsXX9J8sIs/sc=
-github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
-github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
+github.com/containerd/containerd v1.7.8 h1:RkwgOW3AVUT3H/dyT0W03Dc8AzlpMG65lX48KftOFSM=
+github.com/containerd/containerd v1.7.8/go.mod h1:L/Hn9qylJtUFT7cPeM0Sr3fATj+WjHwRQ0lyrYk3OPY=
+github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM=
+github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
 github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
 github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
-github.com/containerd/ttrpc v1.2.1 h1:VWv/Rzx023TBLv4WQ+9WPXlBG/s3rsRjY3i9AJ2BJdE=
-github.com/containerd/ttrpc v1.2.1/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf1G5tYZak=
-github.com/containerd/typeurl/v2 v2.1.0 h1:yNAhJvbNEANt7ck48IlEGOxP7YAp6LLpGn5jZACDNIE=
-github.com/containerd/typeurl/v2 v2.1.0/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
+github.com/containerd/ttrpc v1.2.2 h1:9vqZr0pxwOF5koz6N0N3kJ0zDHokrcPxIR/ZR2YFtOs=
+github.com/containerd/ttrpc v1.2.2/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf1G5tYZak=
+github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
+github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -443,10 +445,10 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66D
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
 github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
-github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
-github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.10.0 h1:F0x3xXrAWmhwtzoCokU4IMPcBdncG+HAAqi9FcOOjbQ=
+github.com/go-git/go-git/v5 v5.10.0/go.mod h1:1FOZ/pQnqw24ghP2n7cunVl0ON55BsjPYvhWHvZGhoo=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -1197,8 +1199,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri
 golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
-golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
-golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
+golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1587,12 +1589,12 @@ google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqw
 google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
 google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
 google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
-google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
-google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64=
-google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM=
-google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g=
+google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
+google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 h1:FmF5cCW94Ij59cfpoLiwTgodWmm60eEV0CjlsVg2fuw=
+google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1629,8 +1631,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu
 google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc=
-google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
+google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

grype/pkg/package.go

@@ -203,24 +203,24 @@ func dataFromPkg(p pkg.Package) (MetadataType, interface{}, []UpstreamPackage) {
 	var upstreams []UpstreamPackage
 	var metadataType MetadataType
 
-	switch p.MetadataType {
-	case pkg.GolangBinMetadataType, pkg.GolangModMetadataType:
+	switch p.Metadata.(type) {
+	case pkg.GolangModuleEntry, pkg.GolangBinaryBuildinfoEntry:
 		metadataType, metadata = golangMetadataFromPkg(p)
-	case pkg.DpkgMetadataType:
+	case pkg.DpkgDBEntry:
 		upstreams = dpkgDataFromPkg(p)
-	case pkg.RpmMetadataType:
+	case pkg.RpmArchive, pkg.RpmDBEntry:
 		m, u := rpmDataFromPkg(p)
 		upstreams = u
 		if m != nil {
 			metadata = *m
 			metadataType = RpmMetadataType
 		}
-	case pkg.JavaMetadataType:
+	case pkg.JavaArchive:
 		if m := javaDataFromPkg(p); m != nil {
 			metadata = *m
 			metadataType = JavaMetadataType
 		}
-	case pkg.ApkMetadataType:
+	case pkg.ApkDBEntry:
 		upstreams = apkDataFromPkg(p)
 	}
 	return metadataType, metadata, upstreams
@@ -228,7 +228,7 @@ func dataFromPkg(p pkg.Package) (MetadataType, interface{}, []UpstreamPackage) {
 
 func golangMetadataFromPkg(p pkg.Package) (MetadataType, interface{}) {
 	switch value := p.Metadata.(type) {
-	case pkg.GolangBinMetadata:
+	case pkg.GolangBinaryBuildinfoEntry:
 		metadata := GolangBinMetadata{}
 		if value.BuildSettings != nil {
 			metadata.BuildSettings = value.BuildSettings
@@ -238,7 +238,7 @@ func golangMetadataFromPkg(p pkg.Package) (MetadataType, interface{}) {
 		metadata.H1Digest = value.H1Digest
 		metadata.MainModule = value.MainModule
 		return GolangBinMetadataType, metadata
-	case pkg.GolangModMetadata:
+	case pkg.GolangModuleEntry:
 		metadata := GolangModMetadata{}
 		metadata.H1Digest = value.H1Digest
 		return GolangModMetadataType, metadata
@@ -247,7 +247,7 @@ func golangMetadataFromPkg(p pkg.Package) (MetadataType, interface{}) {
 }
 
 func dpkgDataFromPkg(p pkg.Package) (upstreams []UpstreamPackage) {
-	if value, ok := p.Metadata.(pkg.DpkgMetadata); ok {
+	if value, ok := p.Metadata.(pkg.DpkgDBEntry); ok {
 		if value.Source != "" {
 			upstreams = append(upstreams, UpstreamPackage{
 				Name:    value.Source,
@@ -261,7 +261,8 @@ func dpkgDataFromPkg(p pkg.Package) (upstreams []UpstreamPackage) {
 }
 
 func rpmDataFromPkg(p pkg.Package) (metadata *RpmMetadata, upstreams []UpstreamPackage) {
-	if value, ok := p.Metadata.(pkg.RpmMetadata); ok {
+	switch value := p.Metadata.(type) {
+	case pkg.RpmDBEntry:
 		if value.SourceRpm != "" {
 			name, version := getNameAndELVersion(value.SourceRpm)
 			if name == "" && version == "" {
@@ -274,14 +275,31 @@ func rpmDataFromPkg(p pkg.Package) (metadata *RpmMetadata, upstreams []UpstreamP
 				})
 			}
 		}
-
 		metadata = &RpmMetadata{
 			Epoch:           value.Epoch,
 			ModularityLabel: value.ModularityLabel,
 		}
-	} else {
+	case pkg.RpmArchive:
+		if value.SourceRpm != "" {
+			name, version := getNameAndELVersion(value.SourceRpm)
+			if name == "" && version == "" {
+				log.Warnf("unable to extract name and version from SourceRPM=%q ", value.SourceRpm)
+			} else if name != p.Name {
+				// don't include matches if the source package name matches the current package name
+				upstreams = append(upstreams, UpstreamPackage{
+					Name:    name,
+					Version: version,
+				})
+			}
+		}
+		metadata = &RpmMetadata{
+			Epoch:           value.Epoch,
+			ModularityLabel: value.ModularityLabel,
+		}
+	default:
 		log.Warnf("unable to extract RPM metadata for %s", p)
 	}
+
 	return metadata, upstreams
 }
 
@@ -292,11 +310,11 @@ func getNameAndELVersion(sourceRpm string) (string, string) {
 }
 
 func javaDataFromPkg(p pkg.Package) (metadata *JavaMetadata) {
-	if value, ok := p.Metadata.(pkg.JavaMetadata); ok {
-		var artifact, group, name string
+	if value, ok := p.Metadata.(pkg.JavaArchive); ok {
+		var artifactID, groupID, name string
 		if value.PomProperties != nil {
-			artifact = value.PomProperties.ArtifactID
-			group = value.PomProperties.GroupID
+			artifactID = value.PomProperties.ArtifactID
+			groupID = value.PomProperties.GroupID
 		}
 		if value.Manifest != nil {
 			if n, ok := value.Manifest.Main["Name"]; ok {
@@ -316,8 +334,8 @@ func javaDataFromPkg(p pkg.Package) (metadata *JavaMetadata) {
 
 		metadata = &JavaMetadata{
 			VirtualPath:    value.VirtualPath,
-			PomArtifactID:  artifact,
-			PomGroupID:     group,
+			PomArtifactID:  artifactID,
+			PomGroupID:     groupID,
 			ManifestName:   name,
 			ArchiveDigests: archiveDigests,
 		}
@@ -328,7 +346,7 @@ func javaDataFromPkg(p pkg.Package) (metadata *JavaMetadata) {
 }
 
 func apkDataFromPkg(p pkg.Package) (upstreams []UpstreamPackage) {
-	if value, ok := p.Metadata.(pkg.ApkMetadata); ok {
+	if value, ok := p.Metadata.(pkg.ApkDBEntry); ok {
 		if value.OriginPackage != "" {
 			upstreams = append(upstreams, UpstreamPackage{
 				Name: value.OriginPackage,

grype/pkg/package_test.go

@@ -5,8 +5,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/scylladb/go-set"
-	"github.com/scylladb/go-set/strset"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/anchore/syft/syft/artifact"
@@ -18,7 +16,7 @@ import (
 	"github.com/anchore/syft/syft/sbom"
 )
 
-func TestNew(t *testing.T) {
+func TestNew_UpstreamFromMetadata(t *testing.T) {
 	tests := []struct {
 		name      string
 		syftPkg   syftPkg.Package
@@ -28,8 +26,7 @@ func TestNew(t *testing.T) {
 		{
 			name: "alpm package with source info",
 			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.AlpmMetadataType,
-				Metadata: syftPkg.AlpmMetadata{
+				Metadata: syftPkg.AlpmDBEntry{
 					BasePackage:  "base-pkg-info",
 					Package:      "pkg-info",
 					Version:      "version-info",
@@ -43,8 +40,7 @@ func TestNew(t *testing.T) {
 		{
 			name: "dpkg with source info",
 			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.DpkgMetadataType,
-				Metadata: syftPkg.DpkgMetadata{
+				Metadata: syftPkg.DpkgDBEntry{
 					Package:       "pkg-info",
 					Source:        "src-info",
 					Version:       "version-info",
@@ -72,10 +68,9 @@ func TestNew(t *testing.T) {
 			},
 		},
 		{
-			name: "rpm with source info",
+			name: "rpm archive with source info",
 			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.RpmMetadataType,
-				Metadata: syftPkg.RpmMetadata{
+				Metadata: syftPkg.RpmArchive{
 					Name:      "name-info",
 					Version:   "version-info",
 					Epoch:     intRef(30),
@@ -84,7 +79,7 @@ func TestNew(t *testing.T) {
 					SourceRpm: "sqlite-3.26.0-6.el8.src.rpm",
 					Size:      40,
 					Vendor:    "vendor-info",
-					Files: []syftPkg.RpmdbFileRecord{
+					Files: []syftPkg.RpmFileRecord{
 						{
 							Path: "path-info",
 							Mode: 20,
@@ -111,22 +106,58 @@ func TestNew(t *testing.T) {
 			},
 		},
 		{
-			name: "rpm with source info that matches the package info",
+			name: "rpm db entry with source info",
 			syftPkg: syftPkg.Package{
-				Name:         "sqlite",
-				MetadataType: syftPkg.RpmMetadataType,
-				Metadata: syftPkg.RpmMetadata{
+				Metadata: syftPkg.RpmDBEntry{
+					Name:      "name-info",
+					Version:   "version-info",
+					Epoch:     intRef(30),
+					Arch:      "arch-info",
+					Release:   "release-info",
+					SourceRpm: "sqlite-3.26.0-6.el8.src.rpm",
+					Size:      40,
+					Vendor:    "vendor-info",
+					Files: []syftPkg.RpmFileRecord{
+						{
+							Path: "path-info",
+							Mode: 20,
+							Size: 10,
+							Digest: file.Digest{
+								Algorithm: "algo-info",
+								Value:     "digest-info",
+							},
+							UserName:  "user-info",
+							GroupName: "group-info",
+							Flags:     "flag-info",
+						},
+					},
+				},
+			},
+			metadata: RpmMetadata{
+				Epoch: intRef(30),
+			},
+			upstreams: []UpstreamPackage{
+				{
+					Name:    "sqlite",
+					Version: "3.26.0-6.el8",
+				},
+			},
+		},
+		{
+			name: "rpm archove with source info that matches the package info",
+			syftPkg: syftPkg.Package{
+				Name: "sqlite",
+				Metadata: syftPkg.RpmArchive{
 					SourceRpm: "sqlite-3.26.0-6.el8.src.rpm",
 				},
 			},
 			metadata: RpmMetadata{},
 		},
 		{
-			name: "rpm with modularity label",
+			name: "rpm archive with modularity label",
 			syftPkg: syftPkg.Package{
-				Name:         "sqlite",
-				MetadataType: syftPkg.RpmMetadataType,
-				Metadata: syftPkg.RpmMetadata{
+				Name: "sqlite",
+				Metadata: syftPkg.RpmArchive{
 					SourceRpm:       "sqlite-3.26.0-6.el8.src.rpm",
 					ModularityLabel: "abc:2",
 				},
@@ -136,8 +167,7 @@ func TestNew(t *testing.T) {
 		{
 			name: "java pkg",
 			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.JavaMetadataType,
-				Metadata: syftPkg.JavaMetadata{
+				Metadata: syftPkg.JavaArchive{
 					VirtualPath: "virtual-path-info",
 					Manifest: &syftPkg.JavaManifest{
 						Main: map[string]string{
@@ -149,7 +179,7 @@ func TestNew(t *testing.T) {
 							},
 						},
 					},
-					PomProperties: &syftPkg.PomProperties{
+					PomProperties: &syftPkg.JavaPomProperties{
 						Path:       "pom-path-info",
 						Name:       "pom-name-info",
 						GroupID:    "pom-group-ID-info",
@@ -179,8 +209,7 @@ func TestNew(t *testing.T) {
 		{
 			name: "apk with source info",
 			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.ApkMetadataType,
-				Metadata: syftPkg.ApkMetadata{
+				Metadata: syftPkg.ApkDBEntry{
 					Package:       "libcurl-tools",
 					OriginPackage: "libcurl",
 					Maintainer:    "somone",
@@ -198,375 +227,14 @@ func TestNew(t *testing.T) {
 				},
 			},
 		},
-		// the below packages are those that have no metadata or upstream info to parse out
-		{
-			name: "npm-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.NpmPackageJSONMetadataType,
-				Metadata: syftPkg.NpmPackageJSONMetadata{
-					Author:      "a",
-					Homepage:    "a",
-					Description: "a",
-					URL:         "a",
-				},
-			},
-		},
-		{
-			name: "python-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.PythonPackageMetadataType,
-				Metadata: syftPkg.PythonPackageMetadata{
-					Name:                 "a",
-					Version:              "a",
-					Author:               "a",
-					AuthorEmail:          "a",
-					Platform:             "a",
-					SitePackagesRootPath: "a",
-				},
-			},
-		},
-		{
-			name: "gem-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.GemMetadataType,
-				Metadata: syftPkg.GemMetadata{
-					Name:     "a",
-					Version:  "a",
-					Homepage: "a",
-				},
-			},
-		},
-		{
-			name: "kb-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.KbPackageMetadataType,
-				Metadata: syftPkg.KbPackageMetadata{
-					ProductID: "a",
-					Kb:        "a",
-				},
-			},
-		},
-		{
-			name: "rust-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.RustCargoPackageMetadataType,
-				Metadata: syftPkg.CargoPackageMetadata{
-					Name:     "a",
-					Version:  "a",
-					Source:   "a",
-					Checksum: "a",
-				},
-			},
-		},
-		{
-			name: "golang-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.GolangBinMetadataType,
-				Metadata: syftPkg.GolangBinMetadata{
-					BuildSettings:     map[string]string{},
-					GoCompiledVersion: "1.0.0",
-					H1Digest:          "a",
-					MainModule:        "myMainModule",
-				},
-			},
-			metadata: GolangBinMetadata{
-				BuildSettings:     map[string]string{},
-				GoCompiledVersion: "1.0.0",
-				H1Digest:          "a",
-				MainModule:        "myMainModule",
-			},
-		},
-		{
-			name: "golang-mod-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.GolangModMetadataType,
-				Metadata: syftPkg.GolangModMetadata{
-					H1Digest: "h1:as234NweNNTNWEtt13nwNENTt",
-				},
-			},
-			metadata: GolangModMetadata{
-				H1Digest: "h1:as234NweNNTNWEtt13nwNENTt",
-			},
-		},
-		{
-			name: "php-composer-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.PhpComposerJSONMetadataType,
-				Metadata: syftPkg.PhpComposerJSONMetadata{
-					Name:    "a",
-					Version: "a",
-				},
-			},
-		},
-		{
-			name: "dart-pub-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.DartPubMetadataType,
-				Metadata: syftPkg.DartPubMetadata{
-					Name:    "a",
-					Version: "a",
-				},
-			},
-		},
-		{
-			name: "dotnet-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.DotnetDepsMetadataType,
-				Metadata: syftPkg.DotnetDepsMetadata{
-					Name:     "a",
-					Version:  "a",
-					Path:     "a",
-					Sha512:   "a",
-					HashPath: "a",
-				},
-			},
-		},
-		{
-			name: "cpp conan-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.ConanMetadataType,
-				Metadata: syftPkg.ConanMetadata{
-					Ref: "catch2/2.13.8",
-				},
-			},
-		},
-		{
-			name: "cpp conan lock metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.ConanLockMetadataType,
-				Metadata: syftPkg.ConanLockMetadata{
-					Ref: "zlib/1.2.12",
-					Options: map[string]string{
-						"fPIC":   "True",
-						"shared": "False",
-					},
-					Path:    "all/conanfile.py",
-					Context: "host",
-				},
-			},
-		},
-		{
-			name: "cocoapods cocoapods-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.CocoapodsMetadataType,
-				Metadata: syftPkg.CocoapodsMetadata{
-					Checksum: "123eere234",
-				},
-			},
-		},
-		{
-			name: "portage-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.PortageMetadataType,
-				Metadata: syftPkg.PortageMetadata{
-					InstalledSize: 1,
-					Files:         []syftPkg.PortageFileRecord{},
-				},
-			},
-		},
-		{
-			name: "hackage-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.HackageMetadataType,
-				Metadata: syftPkg.HackageMetadata{
-					Name:    "hackage",
-					Version: "v0.0.1",
-				},
-			},
-		},
-		{
-			name: "rebar-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.RebarLockMetadataType,
-				Metadata: syftPkg.RebarLockMetadata{
-					Name:    "rebar",
-					Version: "v0.1.1",
-				},
-			},
-		},
-		{
-			name: "npm-package-lock-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.NpmPackageLockJSONMetadataType,
-				Metadata: syftPkg.NpmPackageLockJSONMetadata{
-					Resolved:  "resolved",
-					Integrity: "sha1:ab7d8979989b7a98d97",
-				},
-			},
-		},
-		{
-			name: "mix-lock-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.MixLockMetadataType,
-				Metadata: syftPkg.MixLockMetadata{
-					Name:    "mix-lock",
-					Version: "v0.1.2",
-				},
-			},
-		},
-		{
-			name: "pipfile-lock-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.PythonPipfileLockMetadataType,
-				Metadata: syftPkg.PythonPipfileLockMetadata{
-					Hashes: []string{
-						"sha1:ab8v88a8b88d8d8c88b8s765s47",
-					},
-					Index: "1",
-				},
-			},
-		},
-		{
-			name: "python-requirements-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.PythonRequirementsMetadataType,
-				Metadata: syftPkg.PythonRequirementsMetadata{
-					Name:              "a",
-					Extras:            []string{"a"},
-					VersionConstraint: "a",
-					URL:               "a",
-					Markers:           "a",
-				},
-			},
-		},
-		{
-			name: "binary-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.BinaryMetadataType,
-				Metadata: syftPkg.BinaryMetadata{
-					Matches: []syftPkg.ClassifierMatch{
-						{
-							Classifier: "node",
-						},
-					},
-				},
-			},
-		},
-		{
-			name: "nix-store-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.NixStoreMetadataType,
-				Metadata: syftPkg.NixStoreMetadata{
-					OutputHash: "a",
-					Output:     "a",
-					Files: []string{
-						"a",
-					},
-				},
-			},
-		},
-		{
-			name: "linux-kernel-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.LinuxKernelMetadataType,
-				Metadata: syftPkg.LinuxKernelMetadata{
-					Name:            "a",
-					Architecture:    "a",
-					Version:         "a",
-					ExtendedVersion: "a",
-					BuildTime:       "a",
-					Author:          "a",
-					Format:          "a",
-					RWRootFS:        true,
-					SwapDevice:      10,
-					RootDevice:      11,
-					VideoMode:       "a",
-				},
-			},
-		},
-		{
-			name: "linux-kernel-module-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.LinuxKernelModuleMetadataType,
-				Metadata: syftPkg.LinuxKernelModuleMetadata{
-					Name:          "a",
-					Version:       "a",
-					SourceVersion: "a",
-					Path:          "a",
-					Description:   "a",
-					Author:        "a",
-					License:       "a",
-					KernelVersion: "a",
-					VersionMagic:  "a",
-					Parameters: map[string]syftPkg.LinuxKernelModuleParameter{
-						"a": {
-							Type:        "a",
-							Description: "a",
-						},
-					},
-				},
-			},
-		},
-		{
-			name: "r-description-file-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.RDescriptionFileMetadataType,
-				Metadata: syftPkg.RDescriptionFileMetadata{
-					Title:            "a",
-					Description:      "a",
-					Author:           "a",
-					Maintainer:       "a",
-					URL:              []string{"a"},
-					Repository:       "a",
-					Built:            "a",
-					NeedsCompilation: true,
-					Imports:          []string{"a"},
-					Depends:          []string{"a"},
-					Suggests:         []string{"a"},
-				},
-			},
-		},
-		{
-			name: "dotnet-portable-executable-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.DotnetPortableExecutableMetadataType,
-				Metadata: syftPkg.DotnetPortableExecutableMetadata{
-					AssemblyVersion: "a",
-					LegalCopyright:  "a",
-					Comments:        "a",
-					InternalName:    "a",
-					CompanyName:     "a",
-					ProductName:     "a",
-					ProductVersion:  "a",
-				},
-			},
-		},
-		{
-			name: "dotnet-portable-executable-metadata",
-			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.SwiftPackageManagerMetadataType,
-				Metadata: syftPkg.SwiftPackageManagerMetadata{
-					Revision: "a",
-				},
-			},
-		},
 	}
 
-	// capture each observed metadata type, we should see all of them relate to what syft provides by the end of testing
-	expectedMetadataTypes := set.NewStringSet()
-	for _, ty := range syftPkg.AllMetadataTypes {
-		expectedMetadataTypes.Add(string(ty))
-	}
-
-	// run all of our cases
-	observedMetadataTypes := set.NewStringSet()
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			if string(test.syftPkg.MetadataType) != "" {
-				observedMetadataTypes.Add(string(test.syftPkg.MetadataType))
-			}
 			assert.Equal(t, test.metadata, New(test.syftPkg).Metadata, "unexpected metadata")
 			assert.Equal(t, test.upstreams, New(test.syftPkg).Upstreams, "unexpected upstream")
 		})
 	}
-
-	// did we see all possible metadata types? if not, then there is an uncovered case and this test should error out
-	if !expectedMetadataTypes.IsEqual(observedMetadataTypes) {
-		t.Errorf("did not observe all possible package metadata types: missing: %+v extra: %+v",
-			strset.Difference(expectedMetadataTypes, observedMetadataTypes),
-			strset.Difference(observedMetadataTypes, expectedMetadataTypes),
-		)
-	}
 }
 
 func TestFromCollection_DoesNotPanic(t *testing.T) {

grype/pkg/syft_sbom_provider.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/anchore/grype/internal"
 	"github.com/anchore/grype/internal/log"
-	"github.com/anchore/syft/syft"
+	"github.com/anchore/syft/syft/format"
 	"github.com/anchore/syft/syft/sbom"
 )
 
@@ -56,19 +56,19 @@ func getSBOM(userInput string) (*sbom.SBOM, error) {
 		return nil, err
 	}
 
-	s, format, err := syft.Decode(reader)
+	s, fmtID, _, err := format.Decode(reader)
 	if err != nil {
 		return nil, fmt.Errorf("unable to decode sbom: %w", err)
 	}
 
-	if format == nil {
+	if fmtID == "" || s == nil {
 		return nil, errDoesNotProvide
 	}
 
 	return s, nil
 }
 
-func getSBOMReader(userInput string) (r io.Reader, err error) {
+func getSBOMReader(userInput string) (r io.ReadSeeker, err error) {
 	r, _, err = extractReaderAndInfo(userInput)
 	if err != nil {
 		return nil, err
@@ -77,7 +77,7 @@ func getSBOMReader(userInput string) (r io.Reader, err error) {
 	return r, nil
 }
 
-func extractReaderAndInfo(userInput string) (io.Reader, *inputInfo, error) {
+func extractReaderAndInfo(userInput string) (io.ReadSeeker, *inputInfo, error) {
 	switch {
 	// the order of cases matter
 	case userInput == "":
@@ -97,7 +97,7 @@ func extractReaderAndInfo(userInput string) (io.Reader, *inputInfo, error) {
 	}
 }
 
-func parseSBOM(scheme, path string) (io.Reader, *inputInfo, error) {
+func parseSBOM(scheme, path string) (io.ReadSeeker, *inputInfo, error) {
 	r, err := openFile(path)
 	if err != nil {
 		return nil, nil, err
@@ -106,7 +106,7 @@ func parseSBOM(scheme, path string) (io.Reader, *inputInfo, error) {
 	return r, info, nil
 }
 
-func decodeStdin(r io.Reader) (io.Reader, *inputInfo, error) {
+func decodeStdin(r io.Reader) (io.ReadSeeker, *inputInfo, error) {
 	b, err := io.ReadAll(r)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed reading stdin: %w", err)

grype/presenter/cyclonedx/presenter.go

@@ -10,7 +10,7 @@ import (
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/anchore/grype/grype/vulnerability"
-	"github.com/anchore/syft/syft/formats/common/cyclonedxhelpers"
+	"github.com/anchore/syft/syft/format/common/cyclonedxhelpers"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
 )

grype/presenter/cyclonedx/presenter_test.go

@@ -18,8 +18,7 @@ var update = flag.Bool("update", false, "update the *.golden files for cyclonedx
 func TestCycloneDxPresenterImage(t *testing.T) {
 	var buffer bytes.Buffer
 
-	matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.ImageSource)
-	sbom := internal.SBOMFromPackages(t, packages)
+	sbom, matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.ImageSource)
 	pb := models.PresenterConfig{
 		ID: clio.Identification{
 			Name:    "grype",
@@ -55,8 +54,7 @@ func TestCycloneDxPresenterImage(t *testing.T) {
 
 func TestCycloneDxPresenterDir(t *testing.T) {
 	var buffer bytes.Buffer
-	matches, packages, ctx, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.DirectorySource)
-	sbom := internal.SBOMFromPackages(t, packages)
+	sbom, matches, packages, ctx, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.DirectorySource)
 	pb := models.PresenterConfig{
 		ID: clio.Identification{
 			Name:    "grype",

grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterDir.golden

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:7c707a9a-b23c-45d0-b2e2-229679702a8a",
+  "serialNumber": "urn:uuid:3df5094c-0ff3-4ea7-8a41-cefb6ddfb21c",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-09-20T15:03:10-04:00",
+    "timestamp": "2023-11-02T14:44:49-04:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -16,7 +16,7 @@
   },
   "components": [
     {
-      "bom-ref": "76bd1479d016ce8f",
+      "bom-ref": "848a0f3b0d2402eb",
       "type": "library",
       "name": "package-1",
       "version": "1.1.1",
@@ -26,17 +26,45 @@
           "name": "syft:package:type",
           "value": "rpm"
         },
+        {
+          "name": "syft:package:metadataType",
+          "value": "rpm-db-entry"
+        },
         {
           "name": "syft:location:0:path",
           "value": "/foo/bar/somefile-1.txt"
+        },
+        {
+          "name": "syft:metadata:epoch",
+          "value": "2"
+        },
+        {
+          "name": "syft:metadata:size",
+          "value": "0"
+        },
+        {
+          "name": "syft:metadata:sourceRpm",
+          "value": "some-source-rpm"
         }
       ]
     },
     {
-      "bom-ref": "3199ef19b28ce437",
+      "bom-ref": "7bb53d560434bc7f",
       "type": "library",
       "name": "package-2",
       "version": "2.2.2",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        },
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
       "cpe": "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*",
       "properties": [
         {
@@ -52,7 +80,7 @@
   ],
   "vulnerabilities": [
     {
-      "bom-ref": "urn:uuid:bdc7d6ad-3d59-4b99-b146-075b10aa8729",
+      "bom-ref": "urn:uuid:504f525b-a290-4e00-9b99-19e210d1d2f4",
       "id": "CVE-1999-0001",
       "source": {},
       "references": [
@@ -73,12 +101,12 @@
       "advisories": [],
       "affects": [
         {
-          "ref": "96699b00fe3004b4"
+          "ref": "848a0f3b0d2402eb"
         }
       ]
     },
     {
-      "bom-ref": "urn:uuid:90d84886-5bb3-4337-9f40-c4a81e566807",
+      "bom-ref": "urn:uuid:6d3b670e-31ec-408d-b292-4b9d43865b23",
       "id": "CVE-1999-0002",
       "source": {},
       "references": [
@@ -99,7 +127,7 @@
       "advisories": [],
       "affects": [
         {
-          "ref": "b4013a965511376c"
+          "ref": "7bb53d560434bc7f"
         }
       ]
     }

grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterImage.golden

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:c0486275-53fa-4ae3-81c3-71558e96fe56",
+  "serialNumber": "urn:uuid:f1cda9f6-9503-4b05-9c5e-0deda126b7a8",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-09-20T15:03:10-04:00",
+    "timestamp": "2023-11-02T14:45:04-04:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -16,7 +16,7 @@
   },
   "components": [
     {
-      "bom-ref": "76bd1479d016ce8f",
+      "bom-ref": "848a0f3b0d2402eb",
       "type": "library",
       "name": "package-1",
       "version": "1.1.1",
@@ -26,17 +26,45 @@
           "name": "syft:package:type",
           "value": "rpm"
         },
+        {
+          "name": "syft:package:metadataType",
+          "value": "rpm-db-entry"
+        },
         {
           "name": "syft:location:0:path",
           "value": "/foo/bar/somefile-1.txt"
+        },
+        {
+          "name": "syft:metadata:epoch",
+          "value": "2"
+        },
+        {
+          "name": "syft:metadata:size",
+          "value": "0"
+        },
+        {
+          "name": "syft:metadata:sourceRpm",
+          "value": "some-source-rpm"
         }
       ]
     },
     {
-      "bom-ref": "3199ef19b28ce437",
+      "bom-ref": "7bb53d560434bc7f",
       "type": "library",
       "name": "package-2",
       "version": "2.2.2",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        },
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
       "cpe": "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*",
       "properties": [
         {
@@ -52,7 +80,7 @@
   ],
   "vulnerabilities": [
     {
-      "bom-ref": "urn:uuid:847eae89-a879-450e-9405-e3827f38c4e8",
+      "bom-ref": "urn:uuid:0978a6cb-2cf3-43ac-890f-1f06ecf1e500",
       "id": "CVE-1999-0001",
       "source": {},
       "references": [
@@ -73,12 +101,12 @@
       "advisories": [],
       "affects": [
         {
-          "ref": "96699b00fe3004b4"
+          "ref": "848a0f3b0d2402eb"
         }
       ]
     },
     {
-      "bom-ref": "urn:uuid:de9a3c25-e55c-4357-8d0f-b12d31756c30",
+      "bom-ref": "urn:uuid:2681372d-d137-45d8-8686-fea28663a0d9",
       "id": "CVE-1999-0002",
       "source": {},
       "references": [
@@ -99,7 +127,7 @@
       "advisories": [],
       "affects": [
         {
-          "ref": "b4013a965511376c"
+          "ref": "7bb53d560434bc7f"
         }
       ]
     }

grype/presenter/internal/test_helpers.go

@@ -4,8 +4,6 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	grypeDb "github.com/anchore/grype/grype/db/v5"
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/pkg"
@@ -13,7 +11,6 @@ import (
 	"github.com/anchore/grype/grype/vex"
 	"github.com/anchore/grype/grype/vulnerability"
 	"github.com/anchore/stereoscope/pkg/image"
-	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/cpe"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/linux"
@@ -30,52 +27,39 @@ const (
 
 type SyftSource string
 
-func GenerateAnalysis(t *testing.T, scheme SyftSource) (match.Matches, []pkg.Package, pkg.Context, vulnerability.MetadataProvider, interface{}, interface{}) {
+func GenerateAnalysis(t *testing.T, scheme SyftSource) (*sbom.SBOM, match.Matches, []pkg.Package, pkg.Context, vulnerability.MetadataProvider, interface{}, interface{}) {
 	t.Helper()
 
-	packages := generatePackages(t)
-	matches := generateMatches(t, packages[0], packages[1])
+	s := &sbom.SBOM{
+		Artifacts: sbom.Artifacts{
+			Packages: syftPkg.NewCollection(generatePackages(t)...),
+		},
+	}
+
+	grypePackages := pkg.FromCollection(s.Artifacts.Packages, pkg.SynthesisConfig{})
+
+	matches := generateMatches(t, grypePackages[0], grypePackages[1])
 	context := generateContext(t, scheme)
 
-	return matches, packages, context, models.NewMetadataMock(), nil, nil
+	return s, matches, grypePackages, context, models.NewMetadataMock(), nil, nil
 }
 
 func GenerateAnalysisWithIgnoredMatches(t *testing.T, scheme SyftSource) (match.Matches, []match.IgnoredMatch, []pkg.Package, pkg.Context, vulnerability.MetadataProvider, interface{}, interface{}) {
 	t.Helper()
 
-	packages := generatePackages(t)
-	matches := generateMatches(t, packages[0], packages[0])
-	ignoredMatches := generateIgnoredMatches(t, packages[1])
-	context := generateContext(t, scheme)
-
-	return matches, ignoredMatches, packages, context, models.NewMetadataMock(), nil, nil
-}
-
-func SBOMFromPackages(t *testing.T, packages []pkg.Package) *sbom.SBOM {
-	t.Helper()
-
-	sbom := &sbom.SBOM{
+	s := &sbom.SBOM{
 		Artifacts: sbom.Artifacts{
-			Packages: syftPkg.NewCollection(),
+			Packages: syftPkg.NewCollection(generatePackages(t)...),
 		},
 	}
 
-	for _, p := range packages {
-		sbom.Artifacts.Packages.Add(toSyftPkg(p))
-	}
+	grypePackages := pkg.FromCollection(s.Artifacts.Packages, pkg.SynthesisConfig{})
 
-	return sbom
-}
+	matches := generateMatches(t, grypePackages[0], grypePackages[1])
+	ignoredMatches := generateIgnoredMatches(t, grypePackages[1])
+	context := generateContext(t, scheme)
 
-func toSyftPkg(p pkg.Package) syftPkg.Package {
-	return syftPkg.Package{
-		Name:      p.Name,
-		Version:   p.Version,
-		Type:      p.Type,
-		Metadata:  p.Metadata,
-		Locations: p.Locations,
-		CPEs:      p.CPEs,
-	}
+	return matches, ignoredMatches, grypePackages, context, models.NewMetadataMock(), nil, nil
 }
 
 func Redact(s []byte) []byte {
@@ -91,7 +75,7 @@ func Redact(s []byte) []byte {
 	return s
 }
 
-func generateMatches(t *testing.T, p, p2 pkg.Package) match.Matches {
+func generateMatches(t *testing.T, p1, p2 pkg.Package) match.Matches {
 	t.Helper()
 
 	matches := []match.Match{
@@ -105,7 +89,7 @@ func generateMatches(t *testing.T, p, p2 pkg.Package) match.Matches {
 					State:    grypeDb.FixedState,
 				},
 			},
-			Package: p,
+			Package: p1,
 			Details: []match.Detail{
 				{
 					Type:    match.ExactDirectMatch,
@@ -234,11 +218,11 @@ func generateIgnoredMatches(t *testing.T, p pkg.Package) []match.IgnoredMatch {
 	}
 }
 
-func generatePackages(t *testing.T) []pkg.Package {
+func generatePackages(t *testing.T) []syftPkg.Package {
 	t.Helper()
 	epoch := 2
 
-	pkgs := []pkg.Package{
+	pkgs := []syftPkg.Package{
 		{
 			Name:      "package-1",
 			Version:   "1.1.1",
@@ -253,15 +237,9 @@ func generatePackages(t *testing.T) []pkg.Package {
 					Language: "python",
 				},
 			},
-			Upstreams: []pkg.UpstreamPackage{
-				{
-					Name:    "nothing",
-					Version: "3.2",
-				},
-			},
-			MetadataType: pkg.RpmMetadataType,
-			Metadata: pkg.RpmMetadata{
-				Epoch: &epoch,
+			Metadata: syftPkg.RpmDBEntry{
+				Epoch:     &epoch,
+				SourceRpm: "some-source-rpm",
 			},
 		},
 		{
@@ -278,21 +256,19 @@ func generatePackages(t *testing.T) []pkg.Package {
 					Language: "python",
 				},
 			},
-			Licenses: []string{"MIT", "Apache-2.0"},
+			Licenses: syftPkg.NewLicenseSet(
+				syftPkg.NewLicense("MIT"),
+				syftPkg.NewLicense("Apache-2.0"),
+			),
 		},
 	}
 
-	updatedPkgs := make([]pkg.Package, 0, len(pkgs))
-
-	for _, p := range pkgs {
-		id, err := artifact.IDByHash(p)
-		require.NoError(t, err)
-
-		p.ID = pkg.ID(id)
-		updatedPkgs = append(updatedPkgs, p)
+	for i := range pkgs {
+		p := pkgs[i]
+		p.SetID()
 	}
 
-	return updatedPkgs
+	return pkgs
 }
 
 //nolint:funlen

grype/presenter/json/presenter_test.go

@@ -24,7 +24,7 @@ var timestampRegexp = regexp.MustCompile(`"timestamp":\s*"[^"]+"`)
 
 func TestJsonImgsPresenter(t *testing.T) {
 	var buffer bytes.Buffer
-	matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.ImageSource)
+	_, matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.ImageSource)
 
 	pb := models.PresenterConfig{
 		ID: clio.Identification{
@@ -61,7 +61,7 @@ func TestJsonImgsPresenter(t *testing.T) {
 func TestJsonDirsPresenter(t *testing.T) {
 	var buffer bytes.Buffer
 
-	matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.DirectorySource)
+	_, matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.DirectorySource)
 
 	pb := models.PresenterConfig{
 		ID: clio.Identification{
@@ -141,7 +141,7 @@ func TestEmptyJsonPresenter(t *testing.T) {
 }
 
 func TestPresenter_Present_NewDocumentSorted(t *testing.T) {
-	matches, packages, context, metadataProvider, appConfig, dbStatus := internal.GenerateAnalysis(t, internal.ImageSource)
+	_, matches, packages, context, metadataProvider, appConfig, dbStatus := internal.GenerateAnalysis(t, internal.ImageSource)
 	doc, err := models.NewDocument(clio.Identification{}, packages, context, matches, nil, metadataProvider, appConfig, dbStatus)
 	if err != nil {
 		t.Fatal(err)

grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden

@@ -42,7 +42,7 @@
     }
    ],
    "artifact": {
-    "id": "96699b00fe3004b4",
+    "id": "848a0f3b0d2402eb",
     "name": "package-1",
     "version": "1.1.1",
     "type": "rpm",
@@ -59,8 +59,8 @@
     "purl": "",
     "upstreams": [
      {
-      "name": "nothing",
-      "version": "3.2"
+      "name": "",
+      "version": "-"
      }
     ],
     "metadataType": "RpmMetadata",
@@ -112,7 +112,7 @@
     }
    ],
    "artifact": {
-    "id": "b4013a965511376c",
+    "id": "7bb53d560434bc7f",
     "name": "package-2",
     "version": "2.2.2",
     "type": "deb",
@@ -123,8 +123,8 @@
     ],
     "language": "",
     "licenses": [
-     "MIT",
-     "Apache-2.0"
+     "Apache-2.0",
+     "MIT"
     ],
     "cpes": [
      "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*"

grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden

@@ -42,7 +42,7 @@
     }
    ],
    "artifact": {
-    "id": "96699b00fe3004b4",
+    "id": "848a0f3b0d2402eb",
     "name": "package-1",
     "version": "1.1.1",
     "type": "rpm",
@@ -59,8 +59,8 @@
     "purl": "",
     "upstreams": [
      {
-      "name": "nothing",
-      "version": "3.2"
+      "name": "",
+      "version": "-"
      }
     ],
     "metadataType": "RpmMetadata",
@@ -112,7 +112,7 @@
     }
    ],
    "artifact": {
-    "id": "b4013a965511376c",
+    "id": "7bb53d560434bc7f",
     "name": "package-2",
     "version": "2.2.2",
     "type": "deb",
@@ -123,8 +123,8 @@
     ],
     "language": "",
     "licenses": [
-     "MIT",
-     "Apache-2.0"
+     "Apache-2.0",
+     "MIT"
     ],
     "cpes": [
      "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*"

grype/presenter/sarif/presenter_test.go

@@ -39,7 +39,7 @@ func TestSarifPresenter(t *testing.T) {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			var buffer bytes.Buffer
-			matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, tc.scheme)
+			_, matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, tc.scheme)
 
 			pb := models.PresenterConfig{
 				ID: clio.Identification{
@@ -187,7 +187,7 @@ func Test_locationPath(t *testing.T) {
 }
 
 func createDirPresenter(t *testing.T) *Presenter {
-	matches, packages, _, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.DirectorySource)
+	_, matches, packages, _, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.DirectorySource)
 	d := t.TempDir()
 	s, err := source.NewFromDirectory(source.DirectoryConfig{Path: d})
 	if err != nil {
@@ -238,7 +238,7 @@ func TestToSarifReport(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, tc.scheme)
+			_, matches, packages, context, metadataProvider, _, _ := internal.GenerateAnalysis(t, tc.scheme)
 
 			pb := models.PresenterConfig{
 				Matches:          matches,

grype/presenter/table/__snapshots__/presenter_test.snap

@@ -23,15 +23,15 @@ No vulnerabilities found
 
 [TestHidesIgnoredMatches - 1]
 NAME       INSTALLED  FIXED-IN          TYPE  VULNERABILITY  SEVERITY 
-package-1  1.1.1                        rpm   CVE-1999-0002  Critical  
 package-1  1.1.1      the-next-version  rpm   CVE-1999-0001  Low       
+package-2  2.2.2                        deb   CVE-1999-0002  Critical  
 
 ---
 
 [TestDisplaysIgnoredMatches - 1]
 NAME       INSTALLED  FIXED-IN          TYPE  VULNERABILITY  SEVERITY                     
-package-1  1.1.1                        rpm   CVE-1999-0002  Critical                      
 package-1  1.1.1      the-next-version  rpm   CVE-1999-0001  Low                           
+package-2  2.2.2                        deb   CVE-1999-0002  Critical                      
 package-2  2.2.2                        deb   CVE-1999-0004  Critical (suppressed by VEX)  
 package-2  2.2.2                        deb   CVE-1999-0002  Critical (suppressed)         
 package-2  2.2.2                        deb   CVE-1999-0001  Low (suppressed)              

grype/presenter/table/presenter_test.go

@@ -73,7 +73,7 @@ func TestCreateRow(t *testing.T) {
 
 func TestTablePresenter(t *testing.T) {
 	var buffer bytes.Buffer
-	matches, packages, _, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.ImageSource)
+	_, matches, packages, _, metadataProvider, _, _ := internal.GenerateAnalysis(t, internal.ImageSource)
 
 	pb := models.PresenterConfig{
 		Matches:          matches,

grype/presenter/template/presenter_test.go

@@ -18,7 +18,7 @@ import (
 var update = flag.Bool("update", false, "update the *.golden files for template presenters")
 
 func TestPresenter_Present(t *testing.T) {
-	matches, packages, context, metadataProvider, appConfig, dbStatus := internal.GenerateAnalysis(t, internal.ImageSource)
+	_, matches, packages, context, metadataProvider, appConfig, dbStatus := internal.GenerateAnalysis(t, internal.ImageSource)
 
 	workingDirectory, err := os.Getwd()
 	if err != nil {
@@ -53,7 +53,7 @@ func TestPresenter_Present(t *testing.T) {
 }
 
 func TestPresenter_SprigDate_Fails(t *testing.T) {
-	matches, packages, context, metadataProvider, appConfig, dbStatus := internal.GenerateAnalysis(t, internal.ImageSource)
+	_, matches, packages, context, metadataProvider, appConfig, dbStatus := internal.GenerateAnalysis(t, internal.ImageSource)
 	workingDirectory, err := os.Getwd()
 	require.NoError(t, err)
 

test/cli/sbom_input_test.go

@@ -70,7 +70,7 @@ func TestSBOMInput_FromStdin(t *testing.T) {
 			input:      "./test-fixtures/empty.json",
 			args:       []string{"-c", "../grype-test-config.yaml"},
 			wantErr:    require.Error,
-			wantOutput: "unable to decode sbom: unable to identify format",
+			wantOutput: "unable to decode sbom: sbom format not recognized",
 		},
 		{
 			name:    "sbom",

test/integration/compare_sbom_input_vs_lib_test.go

@@ -11,7 +11,9 @@ import (
 	"github.com/anchore/grype/grype"
 	"github.com/anchore/grype/grype/db"
 	"github.com/anchore/grype/internal"
-	"github.com/anchore/syft/syft"
+	"github.com/anchore/syft/syft/format/spdxjson"
+	"github.com/anchore/syft/syft/format/spdxtagvalue"
+	"github.com/anchore/syft/syft/format/syftjson"
 	syftPkg "github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
@@ -35,6 +37,13 @@ func getListingURL() string {
 	return internal.DBUpdateURL
 }
 
+func must(e sbom.FormatEncoder, err error) sbom.FormatEncoder {
+	if err != nil {
+		panic(err)
+	}
+	return e
+}
+
 func TestCompareSBOMInputToLibResults(t *testing.T) {
 	// get a grype DB
 	store, _, closer, err := grype.LoadVulnerabilityDB(db.Config{
@@ -78,162 +87,159 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 	testCases := []struct {
 		name   string
 		image  string
-		format sbom.FormatID
+		format sbom.FormatEncoder
 	}{
 		{
 			image:  "anchore/test_images:vulnerabilities-alpine",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "alpine-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-alpine",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "alpine-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-alpine",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "alpine-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:gems",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "gems-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:gems",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "gems-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:gems",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "gems-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-debian",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "debian-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-debian",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "debian-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-debian",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "debian-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-centos",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "centos-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-centos",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "centos-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:vulnerabilities-centos",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "centos-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:npm",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "npm-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:npm",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "npm-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:npm",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "npm-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:java",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "java-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:java",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "java-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:java",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "java-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:golang-56d52bc",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "go-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:golang-56d52bc",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "go-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:golang-56d52bc",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "go-spdx-tag-value",
 		},
 
 		{
 			image:  "anchore/test_images:arch",
-			format: syft.JSONFormatID,
+			format: syftjson.NewFormatEncoder(),
 			name:   "arch-syft-json",
 		},
 
 		{
 			image:  "anchore/test_images:arch",
-			format: syft.SPDXJSONFormatID,
+			format: must(spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())),
 			name:   "arch-spdx-json",
 		},
 
 		{
 			image:  "anchore/test_images:arch",
-			format: syft.SPDXTagValueFormatID,
+			format: must(spdxtagvalue.NewFormatEncoderWithConfig(spdxtagvalue.DefaultEncoderConfig())),
 			name:   "arch-spdx-tag-value",
 		},
 	}
 	for _, tc := range testCases {
 		imageArchive := PullThroughImageCache(t, tc.image)
 		imageSource := fmt.Sprintf("docker-archive:%s", imageArchive)
-		f := syft.FormatByID(tc.format)
-		if f == nil {
-			t.Errorf("Invalid formatID: %s", tc.format)
-		}
+
 		t.Run(tc.name, func(t *testing.T) {
 			// get SBOM from syft, write to temp file
-			sbomBytes := getSyftSBOM(t, imageSource, f)
+			sbomBytes := getSyftSBOM(t, imageSource, tc.format)
 			sbomFile, err := os.CreateTemp("", "")
 			assert.NoError(t, err)
 			t.Cleanup(func() {

test/integration/match_by_image_test.go

@@ -315,7 +315,7 @@ func addJavaMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Coll
 	}
 	theSyftPkg := packages[0]
 
-	groupId := theSyftPkg.Metadata.(syftPkg.JavaMetadata).PomProperties.GroupID
+	groupId := theSyftPkg.Metadata.(syftPkg.JavaArchive).PomProperties.GroupID
 	lookup := groupId + ":" + theSyftPkg.Name
 
 	thePkg := pkg.New(theSyftPkg)

test/integration/utils_test.go

@@ -1,6 +1,7 @@
 package integration
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"os"
@@ -70,7 +71,7 @@ func saveImage(t testing.TB, imageName string, destPath string) {
 	t.Logf("Stdout: %s\n", out)
 }
 
-func getSyftSBOM(t testing.TB, image string, format sbom.Format) string {
+func getSyftSBOM(t testing.TB, image string, encoder sbom.FormatEncoder) string {
 	detection, err := source.Detect(image, source.DetectConfig{})
 	if err != nil {
 		t.Fatalf("could not generate source input for packages command: %+v", err)
@@ -98,12 +99,12 @@ func getSyftSBOM(t testing.TB, image string, format sbom.Format) string {
 		Source:        src.Describe(),
 	}
 
-	bytes, err := syft.Encode(s, format)
-	if err != nil {
-		t.Fatalf("presenter failed: %+v", err)
-	}
+	var buf bytes.Buffer
 
-	return string(bytes)
+	err = encoder.Encode(&buf, s)
+	require.NoError(t, err)
+
+	return buf.String()
 }
 
 func getMatchSet(matches match.Matches) *strset.Set {