Will Murphy

Are you running the version of `golangci-lint` that is installed by Syft's Taskfile? `./.tool/golangci-lint run --issues-exit-code=1 --timeout 5m0s --tests=false` succeeds for me on `main`. It's possible the version of `golangci-lint`...

Two questions for investigation: 1. If we add a bitnami cataloger, and turn both it and the SBOM cataloger on, do we get duplicates? 2. Do we and should we...

> 1. If we add a bitnami cataloger, and turn both it and the SBOM cataloger on, do we get duplicates? I did an experiment to answer this. 1. Copy...

I've attached the SBOM syft makes in my experiment: ``` sh go run ./cmd/syft -q --override-default-catalogers "bitnami-cataloger" bitnami/moodle:4.4 -o spdx >/tmp/from-syft-bitnami.spdx.txt ``` [from-syft-bitnami.spdx.txt](https://github.com/user-attachments/files/16994294/from-syft-bitnami.spdx.txt)

Hi @juan131 (cc @wagoodman), Some thoughts here: 1. Are the packages represented in the bitnami SBOMs from different ecosystems? For example, is it a Go binary or a Python package...

Hi @juan131! Thanks @westonsteimel - I did not realize bitnami was an official PURL package type - I thought we would be inventing the package type for the sake of...

> when you talk about packages from Bitnami but not pkg:bitnami, what packages are you referring to? I thought you told us that there were packages in bitnami SPDX files...

> With this in mind, are we adding value by labeling these packages as "being from Bitnami"? Do we want Grype to be able to match these against the bitnami...

> Bitnami SBOM might include non-bitnami packages that can't be detected with other cataloger (this is very unlikely). There might be a specific case where this is likely: native binaries...

Thanks for the ping @juan131! I want to have a bit of a discussion about deduplication with the binary classifier: ``` sh ❯ go run ./cmd/syft -q -o json bitnami/postgresql:17...