PURL is not deterministic in java-archive cataloger

**What happened**:
When i scan a file (.war) I get different results each scan. A jar with multiple `pom.xml` can result in, for example:
```
pkg:maven/org.glassfish.jaxb/jaxb-core@2.2.11
pkg:maven/com.sun.xml.bind/jaxb-core@2.2.11
```

**What you expected to happen**:
same result each time

**Steps to reproduce the issue**:
Repeatedly scan `webgoat/webgoat` [container](https://hub.docker.com/r/webgoat/webgoat) or JAR [releases](https://github.com/WebGoat/WebGoat/releases)

**Anything else we need to know?**:
it impacts the number of results I get from syft.

**Environment**:
- Output of `syft version`: 1.17.0
- OS (e.g: `cat /etc/os-release` or similar): mac


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

PURL is not deterministic in java-archive cataloger #3521

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

PURL is not deterministic in java-archive cataloger #3521

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions