fix: ask catalog for package, rather than type asserting

[willmurphyscode]

TODO

• tests
• research fixing in Syft instead - nothing to be done; grype wasn't using Syft's API very well.

Explanation

Basically, when we're cataloging we remove some packages by ownership overlap, (e.g. if you're on redhat and do yum install python3-urllib, grype will drop the PyPI package urllib in favor of the RPM python3-urllib, because we have better match information for the distro package than for PyPI, e.g. because RedHad backported a fix to an old version of the python code or something).

We do this:

   		from, ok := r.From.(pkg.Package)
		if ok && excludePackage(comprehensiveDistroFeed, p, from) {
			continue
		}

Which seems fine, however, some relationships have a From of type *pkg.Package, not type pkg.Package (pointer vs struct). This causes the type assertion in grype to always fail, resulting FPs.

The underlying reason is that the syft scanner does this:

		parent := catalog.Package(parentID)
		child := catalog.Package(childID)

when building the relationship. And catalog.Package(id) returns a *Package.

However, when we're decoding an SBOM, the relationship builder looks over catalog.Sorted(), which is a []Package.

We can compensate for this in grype by trying to type assert to both pkg.Package and *pkg.Package. I think that's the easier way, and I feel like the "right" way (making Syft either always put a pointer in the To/From field of a relationship or never do so) might end up breaking the type signature of something exported, which we wanted to avoid in 1.0. Grype PR soon, but definitely open to feedback on the approach.

[kzantow]

LGTM as is, but possible test improvement suggestion

[kzantow]

👍