fix: remove second call to finalize as the task handles it (#2516)

* fix: remove second call to finalize as the task handles it

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* test: add test to protect against dupe relationships in final SBOM

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

syft/create_sbom.go

@@ -11,7 +11,6 @@ import (
 	"github.com/wagoodman/go-progress"
 
 	"github.com/anchore/syft/internal/bus"
-	"github.com/anchore/syft/internal/relationship"
 	"github.com/anchore/syft/internal/sbomsync"
 	"github.com/anchore/syft/internal/task"
 	"github.com/anchore/syft/syft/artifact"
@@ -78,8 +77,6 @@ func CreateSBOM(ctx context.Context, src source.Source, cfg *CreateSBOMConfig) (
 	packageCatalogingProgress.SetCompleted()
 	catalogingProgress.SetCompleted()
 
-	relationship.Finalize(builder, cfg.Relationships, src)
-
 	return &s, nil
 }
 

test/integration/regression_sbom_duplicate_relationships_test.go

@@ -0,0 +1,26 @@
+package integration
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/scylladb/go-set/strset"
+
+	"github.com/anchore/syft/syft/source"
+)
+
+func TestRelationshipsUnique(t *testing.T) {
+	// This test is to ensure that the relationships are deduplicated in the final SBOM.
+	// It is not a test of the relationships themselves.
+	// This test is a regression test for #syft/2509
+	sbom, _ := catalogFixtureImage(t, "image-pkg-coverage", source.SquashedScope)
+	observedRelationships := strset.New()
+
+	for _, rel := range sbom.Relationships {
+		unique := fmt.Sprintf("%s:%s:%s", rel.From.ID(), rel.To.ID(), rel.Type)
+		if observedRelationships.Has(unique) {
+			t.Errorf("duplicate relationship found: %s", unique)
+		}
+		observedRelationships.Add(unique)
+	}
+}