Prevent symlinks causing duplicate package-file relationships

As symlinks are traversed as part of file resolution, a scenario in
which a package owns a file and its respective symlinks, causes multiple
relationships to be created between the package and the file (as the
symlinks do not appear in the list of files in the output).

We prevent these files from being confused with each other by
de-duplicating the files at the point of creating ownerships, and
removing duplicate coordinates. This ensures we only get a single copy
of each relationship.

Signed-off-by: Justin Chadwell <[email protected]>

syft/pkg/cataloger/catalog.go

@@ -110,29 +110,33 @@ func packageFileOwnershipRelationships(p pkg.Package, resolver source.FilePathRe
 		return nil, nil
 	}
 
-	var relationships []artifact.Relationship
+	locations := map[artifact.ID]source.Location{}
 
 	for _, path := range fileOwner.OwnedFiles() {
-		locations, err := resolver.FilesByPath(path)
+		pathRefs, err := resolver.FilesByPath(path)
 		if err != nil {
 			return nil, fmt.Errorf("unable to find path for path=%q: %w", path, err)
 		}
 
-		if len(locations) == 0 {
+		if len(pathRefs) == 0 {
 			// ideally we want to warn users about missing files from a package, however, it is very common for
 			// container image authors to delete files that are not needed in order to keep image sizes small. Adding
 			// a warning here would be needlessly noisy (even for popular base images).
 			continue
 		}
 
-		for _, l := range locations {
-			relationships = append(relationships, artifact.Relationship{
-				From: p,
-				To:   l.Coordinates,
-				Type: artifact.ContainsRelationship,
-			})
+		for _, ref := range pathRefs {
+			locations[ref.Coordinates.ID()] = ref
 		}
 	}
 
+	var relationships []artifact.Relationship
+	for _, location := range locations {
+		relationships = append(relationships, artifact.Relationship{
+			From: p,
+			To:   location.Coordinates,
+			Type: artifact.ContainsRelationship,
+		})
+	}
 	return relationships, nil
 }