What happened:
When i scan a file (.war) I get different results each scan. A jar with multiple pom.xml can result in, for example:

pkg:maven/org.glassfish.jaxb/[email protected]
pkg:maven/com.sun.xml.bind/[email protected]

What you expected to happen:
same result each time

Steps to reproduce the issue:
Repeatedly scan webgoat/webgoat container or JAR releases

Anything else we need to know?:
it impacts the number of results I get from syft.

Environment:

• Output of syft version: 1.17.0
• OS (e.g: cat /etc/os-release or similar): mac