From a1fb9d7efd4e0d23500396adb909a2fedc353f1a Mon Sep 17 00:00:00 2001
From: Keith Zantow <kzantow@gmail.com>
Date: Tue, 23 Jul 2024 18:14:54 -0400
Subject: [PATCH] chore: refactor pom cataloger to scan and index all poms in
 the resolver

Signed-off-by: Keith Zantow <kzantow@gmail.com>
---
 .../internal/pkgtest/test_generic_parser.go   |   5 +
 syft/pkg/cataloger/java/archive_parser.go     |   7 +-
 .../pkg/cataloger/java/archive_parser_test.go |   9 +-
 syft/pkg/cataloger/java/cataloger.go          |   7 +-
 syft/pkg/cataloger/java/maven_resolver.go     |   4 +-
 .../pkg/cataloger/java/maven_resolver_test.go |   2 +-
 syft/pkg/cataloger/java/parse_pom_xml.go      |  63 +-
 syft/pkg/cataloger/java/parse_pom_xml_test.go |  52 +-
 .../test-fixtures/pom/commons-text.pom.xml    | 575 ------------------
 .../pom/{relative => local}/child-1/pom.xml   |   0
 .../pom/local/commons-text-1.10.0/pom.xml     | 263 ++++++++
 .../example-java-app-maven}/pom.xml           |   0
 .../pom/{relative => local}/parent-1/pom.xml  |   1 -
 .../pom/{relative => local}/parent-2/pom.xml  |   0
 14 files changed, 363 insertions(+), 625 deletions(-)
 delete mode 100644 syft/pkg/cataloger/java/test-fixtures/pom/commons-text.pom.xml
 rename syft/pkg/cataloger/java/test-fixtures/pom/{relative => local}/child-1/pom.xml (100%)
 create mode 100644 syft/pkg/cataloger/java/test-fixtures/pom/local/commons-text-1.10.0/pom.xml
 rename syft/pkg/cataloger/java/test-fixtures/pom/{ => local/example-java-app-maven}/pom.xml (100%)
 rename syft/pkg/cataloger/java/test-fixtures/pom/{relative => local}/parent-1/pom.xml (98%)
 rename syft/pkg/cataloger/java/test-fixtures/pom/{relative => local}/parent-2/pom.xml (100%)

diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
index a3cf11dece8..2dcbb7f8bec 100644
--- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
+++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
@@ -310,6 +310,11 @@ func TestFileParser(t *testing.T, fixturePath string, parser generic.Parser, exp
 	NewCatalogTester().FromFile(t, fixturePath).Expects(expectedPkgs, expectedRelationships).TestParser(t, parser)
 }
 
+func TestCataloger(t *testing.T, fixtureDir string, cataloger pkg.Cataloger, expectedPkgs []pkg.Package, expectedRelationships []artifact.Relationship) {
+	t.Helper()
+	NewCatalogTester().FromDirectory(t, fixtureDir).Expects(expectedPkgs, expectedRelationships).TestCataloger(t, cataloger)
+}
+
 func TestFileParserWithEnv(t *testing.T, fixturePath string, parser generic.Parser, env *generic.Environment, expectedPkgs []pkg.Package, expectedRelationships []artifact.Relationship) {
 	t.Helper()
 
diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go
index c6ed0377064..8f21702be69 100644
--- a/syft/pkg/cataloger/java/archive_parser.go
+++ b/syft/pkg/cataloger/java/archive_parser.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/vifraa/gopom"
 
+	"github.com/anchore/syft/internal"
 	intFile "github.com/anchore/syft/internal/file"
 	"github.com/anchore/syft/internal/licenses"
 	"github.com/anchore/syft/internal/log"
@@ -51,7 +52,7 @@ type archiveParser struct {
 	fileInfo     archiveFilename
 	detectNested bool
 	cfg          ArchiveCatalogerConfig
-	maven        mavenResolver
+	maven        *mavenResolver
 }
 
 type genericArchiveParserAdapter struct {
@@ -382,7 +383,7 @@ func (j *archiveParser) discoverPkgsFromAllMavenFiles(ctx context.Context, paren
 			parsedPom = proj
 		}
 
-		pkgFromPom := newPackageFromMavenData(ctx, &j.maven, propertiesObj, parsedPom, parentPkg, j.location)
+		pkgFromPom := newPackageFromMavenData(ctx, j.maven, propertiesObj, parsedPom, parentPkg, j.location)
 		if pkgFromPom != nil {
 			pkgs = append(pkgs, *pkgFromPom)
 		}
@@ -396,7 +397,7 @@ func getDigestsFromArchive(archivePath string) ([]file.Digest, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to open archive path (%s): %w", archivePath, err)
 	}
-	defer archiveCloser.Close()
+	defer internal.CloseAndLogError(archiveCloser, archivePath)
 
 	// grab and assign digest for the entire archive
 	digests, err := intFile.NewDigestsFromFile(archiveCloser, javaArchiveHashes)
diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go
index 2a2f13569de..564ae4c3e1a 100644
--- a/syft/pkg/cataloger/java/archive_parser_test.go
+++ b/syft/pkg/cataloger/java/archive_parser_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/vifraa/gopom"
 
+	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/license"
@@ -54,13 +55,13 @@ func generateMockMavenHandler(responseFixture string) func(w http.ResponseWriter
 		// Set the Content-Type header to indicate that the response is XML
 		w.Header().Set("Content-Type", "application/xml")
 		// Copy the file's content to the response writer
-		file, err := os.Open(responseFixture)
+		f, err := os.Open(responseFixture)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
-		defer file.Close()
-		_, err = io.Copy(w, file)
+		defer internal.CloseAndLogError(f, responseFixture)
+		_, err = io.Copy(w, f)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
@@ -1081,7 +1082,7 @@ func Test_newPackageFromMavenData(t *testing.T) {
 			test.expectedParent.Locations = locations
 
 			r := newMavenResolver(nil, DefaultArchiveCatalogerConfig())
-			actualPackage := newPackageFromMavenData(context.Background(), &r, test.props, test.project, test.parent, file.NewLocation(virtualPath))
+			actualPackage := newPackageFromMavenData(context.Background(), r, test.props, test.project, test.parent, file.NewLocation(virtualPath))
 			if test.expectedPackage == nil {
 				require.Nil(t, actualPackage)
 			} else {
diff --git a/syft/pkg/cataloger/java/cataloger.go b/syft/pkg/cataloger/java/cataloger.go
index 35f4cbdb2e9..11e48b7f5ad 100644
--- a/syft/pkg/cataloger/java/cataloger.go
+++ b/syft/pkg/cataloger/java/cataloger.go
@@ -32,10 +32,9 @@ func NewArchiveCataloger(cfg ArchiveCatalogerConfig) pkg.Cataloger {
 // NewPomCataloger returns a cataloger capable of parsing dependencies from a pom.xml file.
 // Pom files list dependencies that maybe not be locally installed yet.
 func NewPomCataloger(cfg ArchiveCatalogerConfig) pkg.Cataloger {
-	gap := newGenericArchiveParserAdapter(cfg)
-
-	return generic.NewCataloger("java-pom-cataloger").
-		WithParserByGlobs(gap.parsePomXML, "**/pom.xml")
+	return pomXMLCataloger{
+		cfg: cfg,
+	}
 }
 
 // NewGradleLockfileCataloger returns a cataloger capable of parsing dependencies from a gradle.lockfile file.
diff --git a/syft/pkg/cataloger/java/maven_resolver.go b/syft/pkg/cataloger/java/maven_resolver.go
index a5f64478e36..47bfc369ee3 100644
--- a/syft/pkg/cataloger/java/maven_resolver.go
+++ b/syft/pkg/cataloger/java/maven_resolver.go
@@ -74,8 +74,8 @@ type mavenResolver struct {
 
 // newMavenResolver constructs a new mavenResolver with the given configuration.
 // NOTE: the fileResolver is optional and if provided will be used to resolve parent poms by relative path
-func newMavenResolver(fileResolver file.Resolver, cfg ArchiveCatalogerConfig) mavenResolver {
-	return mavenResolver{
+func newMavenResolver(fileResolver file.Resolver, cfg ArchiveCatalogerConfig) *mavenResolver {
+	return &mavenResolver{
 		cfg:                  cfg,
 		cache:                cache.GetManager().GetCache("java/maven/repo", "v1"),
 		resolved:             map[mavenID]*gopom.Project{},
diff --git a/syft/pkg/cataloger/java/maven_resolver_test.go b/syft/pkg/cataloger/java/maven_resolver_test.go
index 3154b05ad51..5a16a5b6e64 100644
--- a/syft/pkg/cataloger/java/maven_resolver_test.go
+++ b/syft/pkg/cataloger/java/maven_resolver_test.go
@@ -249,7 +249,7 @@ func Test_mavenResolverRemote(t *testing.T) {
 }
 
 func Test_relativePathParent(t *testing.T) {
-	resolver, err := fileresolver.NewFromDirectory("test-fixtures/pom/relative", "")
+	resolver, err := fileresolver.NewFromDirectory("test-fixtures/pom/local", "")
 	require.NoError(t, err)
 
 	r := newMavenResolver(resolver, DefaultArchiveCatalogerConfig())
diff --git a/syft/pkg/cataloger/java/parse_pom_xml.go b/syft/pkg/cataloger/java/parse_pom_xml.go
index 27bee293d1f..fa11d93672b 100644
--- a/syft/pkg/cataloger/java/parse_pom_xml.go
+++ b/syft/pkg/cataloger/java/parse_pom_xml.go
@@ -13,34 +13,79 @@ import (
 	"github.com/vifraa/gopom"
 	"golang.org/x/net/html/charset"
 
+	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
-	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )
 
 const pomXMLGlob = "*pom.xml"
 
-func (gap genericArchiveParserAdapter) parsePomXML(ctx context.Context, fileResolver file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
-	pom, err := decodePomXML(reader)
-	if err != nil || pom == nil {
+type pomXMLCataloger struct {
+	cfg ArchiveCatalogerConfig
+}
+
+func (p pomXMLCataloger) Name() string {
+	return "java-pom-cataloger"
+}
+
+func (p pomXMLCataloger) Catalog(ctx context.Context, fileResolver file.Resolver) ([]pkg.Package, []artifact.Relationship, error) {
+	locations, err := fileResolver.FilesByGlob("**/pom.xml")
+	if err != nil {
 		return nil, nil, err
 	}
 
-	r := newMavenResolver(fileResolver, gap.cfg)
-	r.pomLocations[pom] = reader.Location // store the location this pom was resolved in order to attempt parent pom lookups
+	r := newMavenResolver(fileResolver, p.cfg)
+
+	var poms []*gopom.Project
+	for _, pomLocation := range locations {
+		pom, err := readPomFromLocation(fileResolver, pomLocation)
+		if err != nil || pom == nil {
+			log.Debugf("error while getting contents for: %v %v", pomLocation.RealPath, err)
+			continue
+		}
+
+		poms = append(poms, pom)
+
+		// store information about this pom for future lookups
+		r.pomLocations[pom] = pomLocation
+		r.resolved[newMavenIDFromPom(pom)] = pom
+	}
+
+	var pkgs []pkg.Package
+	for _, pom := range poms {
+		pkgs = append(pkgs, processPomXML(ctx, r, pom, r.pomLocations[pom])...)
+	}
+	return pkgs, nil, nil
+}
+
+func readPomFromLocation(fileResolver file.Resolver, pomLocation file.Location) (*gopom.Project, error) {
+	contents, err := fileResolver.FileContentsByLocation(pomLocation)
+	if err != nil {
+		return nil, err
+	}
+	defer internal.CloseAndLogError(contents, pomLocation.RealPath)
+
+	pom, err := decodePomXML(contents)
+	if err != nil || pom == nil {
+		return nil, err
+	}
+	return pom, nil
+}
 
+func processPomXML(ctx context.Context, r *mavenResolver, pom *gopom.Project, loc file.Location) []pkg.Package {
 	var pkgs []pkg.Package
+
 	for _, dep := range pomDependencies(pom) {
 		id := newMavenID(dep.GroupID, dep.ArtifactID, dep.Version)
 		log.Tracef("adding dependency to SBOM: %v", id)
 		p, err := newPackageFromDependency(
 			ctx,
-			&r,
+			r,
 			pom,
 			dep,
-			reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
+			loc.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 		)
 		if err != nil {
 			log.Debugf("error adding dependency %v: %v", id, err)
@@ -51,7 +96,7 @@ func (gap genericArchiveParserAdapter) parsePomXML(ctx context.Context, fileReso
 		pkgs = append(pkgs, *p)
 	}
 
-	return pkgs, nil, nil
+	return pkgs
 }
 
 func newPomProject(ctx context.Context, r *mavenResolver, path string, pom *gopom.Project) *pkg.JavaPomProject {
diff --git a/syft/pkg/cataloger/java/parse_pom_xml_test.go b/syft/pkg/cataloger/java/parse_pom_xml_test.go
index 2806324ab5e..201bbf2496c 100644
--- a/syft/pkg/cataloger/java/parse_pom_xml_test.go
+++ b/syft/pkg/cataloger/java/parse_pom_xml_test.go
@@ -21,11 +21,11 @@ import (
 
 func Test_parsePomXML(t *testing.T) {
 	tests := []struct {
-		input    string
+		dir      string
 		expected []pkg.Package
 	}{
 		{
-			input: "test-fixtures/pom/pom.xml",
+			dir: "test-fixtures/pom/local/example-java-app-maven",
 			expected: []pkg.Package{
 				{
 					Name:     "joda-time",
@@ -59,19 +59,19 @@ func Test_parsePomXML(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
+		t.Run(test.dir, func(t *testing.T) {
 			for i := range test.expected {
-				test.expected[i].Locations.Add(file.NewLocation(test.input))
+				test.expected[i].Locations.Add(file.NewLocation("pom.xml"))
 			}
 
-			gap := newGenericArchiveParserAdapter(ArchiveCatalogerConfig{
+			cat := NewPomCataloger(ArchiveCatalogerConfig{
 				ArchiveSearchConfig: cataloging.ArchiveSearchConfig{
 					IncludeIndexedArchives:   true,
 					IncludeUnindexedArchives: true,
 				},
 			})
 
-			pkgtest.TestFileParser(t, test.input, gap.parsePomXML, test.expected, nil)
+			pkgtest.TestCataloger(t, test.dir, cat, test.expected, nil)
 		})
 	}
 }
@@ -132,30 +132,30 @@ func Test_decodePomXML_surviveNonUtf8Encoding(t *testing.T) {
 
 func Test_parseCommonsTextPomXMLProject(t *testing.T) {
 	tests := []struct {
-		input    string
+		dir      string
 		expected []pkg.Package
 	}{
 		{
-			input: "test-fixtures/pom/commons-text.pom.xml",
+			dir: "test-fixtures/pom/local/commons-text-1.10.0",
 
 			expected: getCommonsTextExpectedPackages(),
 		},
 	}
 
 	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
+		t.Run(test.dir, func(t *testing.T) {
 			for i := range test.expected {
-				test.expected[i].Locations.Add(file.NewLocation(test.input))
+				test.expected[i].Locations.Add(file.NewLocation("pom.xml"))
 			}
 
-			gap := newGenericArchiveParserAdapter(ArchiveCatalogerConfig{
+			cat := NewPomCataloger(ArchiveCatalogerConfig{
 				ArchiveSearchConfig: cataloging.ArchiveSearchConfig{
 					IncludeIndexedArchives:   true,
 					IncludeUnindexedArchives: true,
 				},
 				UseMavenLocalRepository: false,
 			})
-			pkgtest.TestFileParser(t, test.input, gap.parsePomXML, test.expected, nil)
+			pkgtest.TestCataloger(t, test.dir, cat, test.expected, nil)
 		})
 	}
 }
@@ -180,22 +180,22 @@ func Test_parseCommonsTextPomXMLProjectWithLocalRepository(t *testing.T) {
 	}
 
 	tests := []struct {
-		input    string
+		dir      string
 		expected []pkg.Package
 	}{
 		{
-			input:    "test-fixtures/pom/commons-text.pom.xml",
+			dir:      "test-fixtures/pom/local/commons-text-1.10.0",
 			expected: expectedPackages,
 		},
 	}
 
 	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
+		t.Run(test.dir, func(t *testing.T) {
 			for i := range test.expected {
-				test.expected[i].Locations.Add(file.NewLocation(test.input))
+				test.expected[i].Locations.Add(file.NewLocation("pom.xml"))
 			}
 
-			gap := newGenericArchiveParserAdapter(ArchiveCatalogerConfig{
+			cat := NewPomCataloger(ArchiveCatalogerConfig{
 				ArchiveSearchConfig: cataloging.ArchiveSearchConfig{
 					IncludeIndexedArchives:   true,
 					IncludeUnindexedArchives: true,
@@ -204,7 +204,7 @@ func Test_parseCommonsTextPomXMLProjectWithLocalRepository(t *testing.T) {
 				MavenLocalRepositoryDir: "test-fixtures/pom/maven-repo",
 				MaxParentRecursiveDepth: 5,
 			})
-			pkgtest.TestFileParser(t, test.input, gap.parsePomXML, test.expected, nil)
+			pkgtest.TestCataloger(t, test.dir, cat, test.expected, nil)
 		})
 	}
 }
@@ -231,22 +231,22 @@ func Test_parseCommonsTextPomXMLProjectWithNetwork(t *testing.T) {
 	}
 
 	tests := []struct {
-		input    string
+		dir      string
 		expected []pkg.Package
 	}{
 		{
-			input:    "test-fixtures/pom/commons-text.pom.xml",
+			dir:      "test-fixtures/pom/local/commons-text-1.10.0",
 			expected: expectedPackages,
 		},
 	}
 
 	for _, test := range tests {
-		t.Run(test.input, func(t *testing.T) {
+		t.Run(test.dir, func(t *testing.T) {
 			for i := range test.expected {
-				test.expected[i].Locations.Add(file.NewLocation(test.input))
+				test.expected[i].Locations.Add(file.NewLocation("pom.xml"))
 			}
 
-			gap := newGenericArchiveParserAdapter(ArchiveCatalogerConfig{
+			cat := NewPomCataloger(ArchiveCatalogerConfig{
 				ArchiveSearchConfig: cataloging.ArchiveSearchConfig{
 					IncludeIndexedArchives:   true,
 					IncludeUnindexedArchives: true,
@@ -256,7 +256,7 @@ func Test_parseCommonsTextPomXMLProjectWithNetwork(t *testing.T) {
 				UseMavenLocalRepository: false,
 				MaxParentRecursiveDepth: 5,
 			})
-			pkgtest.TestFileParser(t, test.input, gap.parsePomXML, test.expected, nil)
+			pkgtest.TestCataloger(t, test.dir, cat, test.expected, nil)
 		})
 	}
 }
@@ -334,7 +334,7 @@ func Test_parsePomXMLProject(t *testing.T) {
 			pom, err := gopom.ParseFromReader(fixture)
 			require.NoError(t, err)
 
-			actual := newPomProject(context.Background(), &r, fixture.Name(), pom)
+			actual := newPomProject(context.Background(), r, fixture.Name(), pom)
 			assert.NoError(t, err)
 			assert.Equal(t, test.project, actual)
 
@@ -400,7 +400,7 @@ func Test_pomParent(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			r := newMavenResolver(nil, DefaultArchiveCatalogerConfig())
-			assert.Equal(t, test.expected, pomParent(context.Background(), &r, &gopom.Project{Parent: test.input}))
+			assert.Equal(t, test.expected, pomParent(context.Background(), r, &gopom.Project{Parent: test.input}))
 		})
 	}
 }
diff --git a/syft/pkg/cataloger/java/test-fixtures/pom/commons-text.pom.xml b/syft/pkg/cataloger/java/test-fixtures/pom/commons-text.pom.xml
deleted file mode 100644
index 6f54a6ed6b1..00000000000
--- a/syft/pkg/cataloger/java/test-fixtures/pom/commons-text.pom.xml
+++ /dev/null
@@ -1,575 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements.  See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <parent>
-        <groupId>org.apache.commons</groupId>
-        <artifactId>commons-parent</artifactId>
-        <version>54</version>
-    </parent>
-    <artifactId>commons-text</artifactId>
-    <version>1.10.0</version>
-    <name>Apache Commons Text</name>
-    <description>Apache Commons Text is a library focused on algorithms working on strings.</description>
-    <url>https://commons.apache.org/proper/commons-text</url>
-
-    <properties>
-        <project.build.sourceEncoding>ISO-8859-1</project.build.sourceEncoding>
-        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-
-        <commons.componentid>text</commons.componentid>
-        <commons.module.name>org.apache.commons.text</commons.module.name>
-
-        <commons.release.version>1.10.0</commons.release.version>
-        <commons.release.desc>(Java 8+)</commons.release.desc>
-
-        <commons.jira.id>TEXT</commons.jira.id>
-        <commons.jira.pid>12318221</commons.jira.pid>
-
-        <commons.site.path>text</commons.site.path>
-        <commons.scmPubUrl>https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-text</commons.scmPubUrl>
-        <commons.scmPubCheckoutDirectory>site-content</commons.scmPubCheckoutDirectory>
-
-        <commons.junit.version>5.9.1</commons.junit.version>
-        <checkstyle.plugin.version>3.2.0</checkstyle.plugin.version>
-        <checkstyle.version>9.3</checkstyle.version>
-
-        <commons.spotbugs.plugin.version>4.7.2.0</commons.spotbugs.plugin.version>
-        <commons.spotbugs.impl.version>4.7.2</commons.spotbugs.impl.version>
-        <commons.pmd.version>3.19.0</commons.pmd.version>
-        <commons.pmd-impl.version>6.49.0</commons.pmd-impl.version>
-
-        <commons.mockito.version>4.8.0</commons.mockito.version>
-        <commons.jacoco.version>0.8.8</commons.jacoco.version>
-
-        <!-- apache-rat-plugin 0.13 and jdepend-maven-plugin 2.0 both fail with LinkageError when generating reports
-        with maven site plugin 3.11+. However, javadoc 3.4.0+ fails with site plugin versions lower than 3.11. So, we'll
-        use slightly older site and javadoc versions here in order to be able to generate all reports. -->
-        <commons.site-plugin.version>3.10.0</commons.site-plugin.version>
-        <commons.javadoc.version>3.4.1</commons.javadoc.version>
-
-        <!-- 22.1.0 requires Java 11 -->
-        <graalvm.version>22.0.0.2</graalvm.version>
-        <commons.rng.version>1.4</commons.rng.version>
-
-        <commons.japicmp.version>0.16.0</commons.japicmp.version>
-        <japicmp.skip>false</japicmp.skip>
-
-        <jmh.version>1.35</jmh.version>
-        <commons.project-info.version>3.1.2</commons.project-info.version>
-
-        <!-- Commons Release Plugin -->
-        <commons.bc.version>1.9</commons.bc.version>
-        <commons.rc.version>RC1</commons.rc.version>
-        <commons.release.isDistModule>true</commons.release.isDistModule>
-        <commons.distSvnStagingUrl>scm:svn:https://dist.apache.org/repos/dist/dev/commons/${commons.componentid}</commons.distSvnStagingUrl>
-        <commons.releaseManagerName>Gary Gregory</commons.releaseManagerName>
-        <commons.releaseManagerKey>86fdc7e2a11262cb</commons.releaseManagerKey>
-    </properties>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-            <version>3.12.0</version>
-        </dependency>
-        <!-- testing -->
-        <dependency>
-            <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.assertj</groupId>
-            <artifactId>assertj-core</artifactId>
-            <version>3.23.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.11.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <!--  Use mockito-inline instead of mockito-core to mock and spy on final classes. -->
-            <artifactId>mockito-inline</artifactId>
-            <version>${commons.mockito.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.graalvm.js</groupId>
-            <artifactId>js</artifactId>
-            <version>${graalvm.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.graalvm.js</groupId>
-            <artifactId>js-scriptengine</artifactId>
-            <version>${graalvm.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-rng-simple</artifactId>
-            <version>${commons.rng.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.openjdk.jmh</groupId>
-            <artifactId>jmh-core</artifactId>
-            <version>${jmh.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.openjdk.jmh</groupId>
-            <artifactId>jmh-generator-annprocess</artifactId>
-            <version>${jmh.version}</version>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <defaultGoal>clean verify apache-rat:check japicmp:cmp checkstyle:check spotbugs:check javadoc:javadoc</defaultGoal>
-        <pluginManagement>
-            <plugins>
-                <plugin>
-                    <groupId>org.apache.rat</groupId>
-                    <artifactId>apache-rat-plugin</artifactId>
-                    <configuration>
-                        <excludes>
-                            <exclude>site-content/**</exclude>
-                            <exclude>src/site/resources/download_lang.cgi</exclude>
-                            <exclude>src/test/resources/org/apache/commons/text/stringEscapeUtilsTestData.txt</exclude>
-                            <exclude>src/test/resources/org/apache/commons/text/lcs-perf-analysis-inputs.csv</exclude>
-                            <exclude>src/site/resources/release-notes/RELEASE-NOTES-*.txt</exclude>
-                        </excludes>
-                    </configuration>
-                </plugin><!-- override skip property of parent pom -->
-                <plugin>
-                    <artifactId>maven-pmd-plugin</artifactId>
-                    <version>${commons.pmd.version}</version>
-                    <configuration>
-                        <targetJdk>${maven.compiler.target}</targetJdk>
-                    </configuration>
-                    <dependencies>
-                        <dependency>
-                            <groupId>net.sourceforge.pmd</groupId>
-                            <artifactId>pmd-core</artifactId>
-                            <version>${commons.pmd-impl.version}</version>
-                        </dependency>
-                        <dependency>
-                            <groupId>net.sourceforge.pmd</groupId>
-                            <artifactId>pmd-java</artifactId>
-                            <version>${commons.pmd-impl.version}</version>
-                        </dependency>
-                        <dependency>
-                            <groupId>net.sourceforge.pmd</groupId>
-                            <artifactId>pmd-javascript</artifactId>
-                            <version>${commons.pmd-impl.version}</version>
-                        </dependency>
-                        <dependency>
-                            <groupId>net.sourceforge.pmd</groupId>
-                            <artifactId>pmd-jsp</artifactId>
-                            <version>${commons.pmd-impl.version}</version>
-                        </dependency>
-                    </dependencies>
-                </plugin>
-            </plugins>
-        </pluginManagement>
-        <plugins>
-            <plugin>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${checkstyle.plugin.version}</version>
-                <configuration>
-                    <enableRulesSummary>false</enableRulesSummary>
-                    <configLocation>src/conf/checkstyle.xml</configLocation>
-                    <headerLocation>src/conf/checkstyle-header.txt</headerLocation>
-                    <suppressionsLocation>src/conf/checkstyle-suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>src/conf/checkstyle-suppressions.xml</suppressionsFileExpression>
-                    <includeTestSourceDirectory>true</includeTestSourceDirectory>
-                    <excludes>**/generated/**.java,**/jmh_generated/**.java</excludes>
-                </configuration>
-                <dependencies>
-                    <dependency>
-                        <groupId>com.puppycrawl.tools</groupId>
-                        <artifactId>checkstyle</artifactId>
-                        <version>${checkstyle.version}</version>
-                    </dependency>
-                </dependencies>
-            </plugin>
-            <plugin>
-                <groupId>com.github.spotbugs</groupId>
-                <artifactId>spotbugs-maven-plugin</artifactId>
-                <version>${commons.spotbugs.plugin.version}</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>com.github.spotbugs</groupId>
-                        <artifactId>spotbugs</artifactId>
-                        <version>${commons.spotbugs.impl.version}</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <excludeFilterFile>src/conf/spotbugs-exclude-filter.xml</excludeFilterFile>
-                </configuration>
-            </plugin>
-            <plugin>
-                <artifactId>maven-assembly-plugin</artifactId>
-                <configuration>
-                    <descriptors>
-                        <descriptor>src/assembly/bin.xml</descriptor>
-                        <descriptor>src/assembly/src.xml</descriptor>
-                    </descriptors>
-                    <tarLongFileMode>gnu</tarLongFileMode>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>test-jar</goal>
-                        </goals>
-                    </execution>
-                </executions>
-                <configuration>
-                    <archive combine.children="append">
-                        <manifestEntries>
-                            <Automatic-Module-Name>${commons.module.name}</Automatic-Module-Name>
-                        </manifestEntries>
-                    </archive>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-scm-publish-plugin</artifactId>
-                <configuration>
-                    <ignorePathsToDelete>
-                        <ignorePathToDelete>javadocs</ignorePathToDelete>
-                    </ignorePathsToDelete>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-javadoc-plugin</artifactId>
-                <configuration>
-                    <source>${maven.compiler.source}</source>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-
-    <reporting>
-        <plugins>
-            <plugin>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${checkstyle.plugin.version}</version>
-                <configuration>
-                    <enableRulesSummary>false</enableRulesSummary>
-                    <configLocation>src/conf/checkstyle.xml</configLocation>
-                    <headerLocation>src/conf/checkstyle-header.txt</headerLocation>
-                    <suppressionsLocation>src/conf/checkstyle-suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>src/conf/checkstyle-suppressions.xml</suppressionsFileExpression>
-                    <includeTestSourceDirectory>true</includeTestSourceDirectory>
-                    <excludes>**/generated/**.java,**/jmh_generated/**.java</excludes>
-                </configuration>
-                <reportSets>
-                    <reportSet>
-                        <reports>
-                            <report>checkstyle</report>
-                        </reports>
-                    </reportSet>
-                </reportSets>
-            </plugin>
-            <!-- Requires setting 'export MAVEN_OPTS="-Xmx512m" ' -->
-            <plugin>
-                <groupId>com.github.spotbugs</groupId>
-                <artifactId>spotbugs-maven-plugin</artifactId>
-                <version>${commons.spotbugs.plugin.version}</version>
-                <configuration>
-                    <excludeFilterFile>src/conf/spotbugs-exclude-filter.xml</excludeFilterFile>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>com.github.siom79.japicmp</groupId>
-                <artifactId>japicmp-maven-plugin</artifactId>
-            </plugin>
-            <plugin>
-                <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.19.0</version>
-                <configuration>
-                    <targetJdk>${maven.compiler.target}</targetJdk>
-                </configuration>
-                <reportSets>
-                    <reportSet>
-                        <reports>
-                            <report>pmd</report>
-                            <report>cpd</report>
-                        </reports>
-                    </reportSet>
-                </reportSets>
-            </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>taglist-maven-plugin</artifactId>
-                <version>3.0.0</version>
-                <configuration>
-                    <tagListOptions>
-                        <tagClasses>
-                            <tagClass>
-                                <displayName>Needs Work</displayName>
-                                <tags>
-                                    <tag>
-                                        <matchString>TODO</matchString>
-                                        <matchType>exact</matchType>
-                                    </tag>
-                                    <tag>
-                                        <matchString>FIXME</matchString>
-                                        <matchType>exact</matchType>
-                                    </tag>
-                                    <tag>
-                                        <matchString>XXX</matchString>
-                                        <matchType>exact</matchType>
-                                    </tag>
-                                </tags>
-                            </tagClass>
-                            <tagClass>
-                                <displayName>Noteable Markers</displayName>
-                                <tags>
-                                    <tag>
-                                        <matchString>NOTE</matchString>
-                                        <matchType>exact</matchType>
-                                    </tag>
-                                    <tag>
-                                        <matchString>NOPMD</matchString>
-                                        <matchType>exact</matchType>
-                                    </tag>
-                                    <tag>
-                                        <matchString>NOSONAR</matchString>
-                                        <matchType>exact</matchType>
-                                    </tag>
-                                </tags>
-                            </tagClass>
-                        </tagClasses>
-                    </tagListOptions>
-                </configuration>
-            </plugin>
-        </plugins>
-    </reporting>
-
-    <inceptionYear>2014</inceptionYear>
-
-    <developers>
-        <developer>
-            <id>kinow</id>
-            <name>Bruno P. Kinoshita</name>
-            <email>kinow@apache.org</email>
-        </developer>
-        <developer>
-            <id>britter</id>
-            <name>Benedikt Ritter</name>
-            <email>britter@apache.org</email>
-        </developer>
-        <developer>
-            <id>chtompki</id>
-            <name>Rob Tompkins</name>
-            <email>chtompki@apache.org</email>
-        </developer>
-        <developer>
-            <id>ggregory</id>
-            <name>Gary Gregory</name>
-            <email>ggregory at apache.org</email>
-            <url>https://www.garygregory.com</url>
-            <organization>The Apache Software Foundation</organization>
-            <organizationUrl>https://www.apache.org/</organizationUrl>
-            <roles>
-                <role>PMC Member</role>
-            </roles>
-            <timezone>America/New_York</timezone>
-            <properties>
-                <picUrl>https://people.apache.org/~ggregory/img/garydgregory80.png</picUrl>
-            </properties>
-        </developer>
-        <developer>
-            <id>djones</id>
-            <name>Duncan Jones</name>
-            <email>djones@apache.org</email>
-        </developer>
-    </developers>
-
-    <contributors>
-        <contributor>
-            <name>Don Jeba</name>
-            <email>donjeba@yahoo.com</email>
-        </contributor>
-        <contributor>
-            <name>Sampanna Kahu</name>
-        </contributor>
-        <contributor>
-            <name>Jarek Strzelecki</name>
-        </contributor>
-        <contributor>
-            <name>Lee Adcock</name>
-        </contributor>
-        <contributor>
-            <name>Amey Jadiye</name>
-            <email>ameyjadiye@gmail.com</email>
-        </contributor>
-        <contributor>
-            <name>Arun Vinud S S</name>
-        </contributor>
-        <contributor>
-            <name>Ioannis Sermetziadis</name>
-        </contributor>
-        <contributor>
-            <name>Jostein Tveit</name>
-        </contributor>
-        <contributor>
-            <name>Luciano Medallia</name>
-        </contributor>
-        <contributor>
-            <name>Jan Martin Keil</name>
-        </contributor>
-        <contributor>
-            <name>Nandor Kollar</name>
-        </contributor>
-        <contributor>
-            <name>Nick Wong</name>
-        </contributor>
-        <contributor>
-            <name>Ali Ghanbari</name>
-            <url>https://ali-ghanbari.github.io/</url>
-        </contributor>
-    </contributors>
-
-    <scm>
-        <connection>scm:git:https://gitbox.apache.org/repos/asf/commons-text</connection>
-        <developerConnection>scm:git:https://gitbox.apache.org/repos/asf/commons-text</developerConnection>
-        <url>https://gitbox.apache.org/repos/asf?p=commons-text.git</url>
-    </scm>
-
-    <issueManagement>
-        <system>jira</system>
-        <url>https://issues.apache.org/jira/browse/TEXT</url>
-    </issueManagement>
-
-    <distributionManagement>
-        <site>
-            <id>apache.website</id>
-            <name>Apache Commons Site</name>
-            <url>scm:svn:https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-text/</url>
-        </site>
-    </distributionManagement>
-
-    <profiles>
-        <profile>
-            <id>setup-checkout</id>
-            <activation>
-                <file>
-                    <missing>site-content</missing>
-                </file>
-            </activation>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-antrun-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <id>prepare-checkout</id>
-                                <goals>
-                                    <goal>run</goal>
-                                </goals>
-                                <phase>pre-site</phase>
-                                <configuration>
-                                    <target>
-                                        <exec executable="svn">
-                                            <arg line="checkout --depth immediates ${commons.scmPubUrl} ${commons.scmPubCheckoutDirectory}"/>
-                                        </exec>
-                                        <exec executable="svn">
-                                            <arg line="update --set-depth exclude ${commons.scmPubCheckoutDirectory}/javadocs"/>
-                                        </exec>
-                                        <pathconvert pathsep=" " property="dirs">
-                                            <dirset dir="${commons.scmPubCheckoutDirectory}" includes="*"/>
-                                        </pathconvert>
-                                        <exec executable="svn">
-                                            <arg line="update --set-depth infinity ${dirs}"/>
-                                        </exec>
-                                    </target>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-        <profile>
-            <id>java9+</id>
-            <activation>
-                <jdk>[9,)</jdk>
-            </activation>
-            <properties>
-                <!-- coverall version 4.3.0 does not work with java 9+, see https://github.com/trautonen/coveralls-maven-plugin/issues/112 -->
-                <coveralls.skip>true</coveralls.skip>
-            </properties>
-        </profile>
-        <profile>
-            <id>benchmark</id>
-            <properties>
-                <skipTests>true</skipTests>
-                <benchmark>org.apache</benchmark>
-            </properties>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>exec-maven-plugin</artifactId>
-                        <version>3.1.0</version>
-                        <executions>
-                            <execution>
-                                <id>benchmark</id>
-                                <phase>test</phase>
-                                <goals>
-                                    <goal>exec</goal>
-                                </goals>
-                                <configuration>
-                                    <classpathScope>test</classpathScope>
-                                    <executable>java</executable>
-                                    <arguments>
-                                        <argument>-classpath</argument>
-                                        <classpath/>
-                                        <argument>org.openjdk.jmh.Main</argument>
-                                        <argument>-rf</argument>
-                                        <argument>json</argument>
-                                        <argument>-rff</argument>
-                                        <argument>target/jmh-result.${benchmark}.json</argument>
-                                        <argument>${benchmark}</argument>
-                                    </arguments>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-    </profiles>
-</project>
\ No newline at end of file
diff --git a/syft/pkg/cataloger/java/test-fixtures/pom/relative/child-1/pom.xml b/syft/pkg/cataloger/java/test-fixtures/pom/local/child-1/pom.xml
similarity index 100%
rename from syft/pkg/cataloger/java/test-fixtures/pom/relative/child-1/pom.xml
rename to syft/pkg/cataloger/java/test-fixtures/pom/local/child-1/pom.xml
diff --git a/syft/pkg/cataloger/java/test-fixtures/pom/local/commons-text-1.10.0/pom.xml b/syft/pkg/cataloger/java/test-fixtures/pom/local/commons-text-1.10.0/pom.xml
new file mode 100644
index 00000000000..e4ad83f1596
--- /dev/null
+++ b/syft/pkg/cataloger/java/test-fixtures/pom/local/commons-text-1.10.0/pom.xml
@@ -0,0 +1,263 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-parent</artifactId>
+        <version>54</version>
+    </parent>
+    <artifactId>commons-text</artifactId>
+    <version>1.10.0</version>
+    <name>Apache Commons Text</name>
+    <description>Apache Commons Text is a library focused on algorithms working on strings.</description>
+    <url>https://commons.apache.org/proper/commons-text</url>
+
+    <properties>
+        <project.build.sourceEncoding>ISO-8859-1</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+
+        <commons.componentid>text</commons.componentid>
+        <commons.module.name>org.apache.commons.text</commons.module.name>
+
+        <commons.release.version>1.10.0</commons.release.version>
+        <commons.release.desc>(Java 8+)</commons.release.desc>
+
+        <commons.jira.id>TEXT</commons.jira.id>
+        <commons.jira.pid>12318221</commons.jira.pid>
+
+        <commons.site.path>text</commons.site.path>
+        <commons.scmPubUrl>https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-text</commons.scmPubUrl>
+        <commons.scmPubCheckoutDirectory>site-content</commons.scmPubCheckoutDirectory>
+
+        <commons.junit.version>5.9.1</commons.junit.version>
+        <checkstyle.plugin.version>3.2.0</checkstyle.plugin.version>
+        <checkstyle.version>9.3</checkstyle.version>
+
+        <commons.spotbugs.plugin.version>4.7.2.0</commons.spotbugs.plugin.version>
+        <commons.spotbugs.impl.version>4.7.2</commons.spotbugs.impl.version>
+        <commons.pmd.version>3.19.0</commons.pmd.version>
+        <commons.pmd-impl.version>6.49.0</commons.pmd-impl.version>
+
+        <commons.mockito.version>4.8.0</commons.mockito.version>
+        <commons.jacoco.version>0.8.8</commons.jacoco.version>
+
+        <!-- apache-rat-plugin 0.13 and jdepend-maven-plugin 2.0 both fail with LinkageError when generating reports
+        with maven site plugin 3.11+. However, javadoc 3.4.0+ fails with site plugin versions lower than 3.11. So, we'll
+        use slightly older site and javadoc versions here in order to be able to generate all reports. -->
+        <commons.site-plugin.version>3.10.0</commons.site-plugin.version>
+        <commons.javadoc.version>3.4.1</commons.javadoc.version>
+
+        <!-- 22.1.0 requires Java 11 -->
+        <graalvm.version>22.0.0.2</graalvm.version>
+        <commons.rng.version>1.4</commons.rng.version>
+
+        <commons.japicmp.version>0.16.0</commons.japicmp.version>
+        <japicmp.skip>false</japicmp.skip>
+
+        <jmh.version>1.35</jmh.version>
+        <commons.project-info.version>3.1.2</commons.project-info.version>
+
+        <!-- Commons Release Plugin -->
+        <commons.bc.version>1.9</commons.bc.version>
+        <commons.rc.version>RC1</commons.rc.version>
+        <commons.release.isDistModule>true</commons.release.isDistModule>
+        <commons.distSvnStagingUrl>scm:svn:https://dist.apache.org/repos/dist/dev/commons/${commons.componentid}</commons.distSvnStagingUrl>
+        <commons.releaseManagerName>Gary Gregory</commons.releaseManagerName>
+        <commons.releaseManagerKey>86fdc7e2a11262cb</commons.releaseManagerKey>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.12.0</version>
+        </dependency>
+        <!-- testing -->
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <version>3.23.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.11.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <!--  Use mockito-inline instead of mockito-core to mock and spy on final classes. -->
+            <artifactId>mockito-inline</artifactId>
+            <version>${commons.mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.graalvm.js</groupId>
+            <artifactId>js</artifactId>
+            <version>${graalvm.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.graalvm.js</groupId>
+            <artifactId>js-scriptengine</artifactId>
+            <version>${graalvm.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-rng-simple</artifactId>
+            <version>${commons.rng.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.openjdk.jmh</groupId>
+            <artifactId>jmh-core</artifactId>
+            <version>${jmh.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.openjdk.jmh</groupId>
+            <artifactId>jmh-generator-annprocess</artifactId>
+            <version>${jmh.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <inceptionYear>2014</inceptionYear>
+
+    <scm>
+        <connection>scm:git:https://gitbox.apache.org/repos/asf/commons-text</connection>
+        <developerConnection>scm:git:https://gitbox.apache.org/repos/asf/commons-text</developerConnection>
+        <url>https://gitbox.apache.org/repos/asf?p=commons-text.git</url>
+    </scm>
+
+    <issueManagement>
+        <system>jira</system>
+        <url>https://issues.apache.org/jira/browse/TEXT</url>
+    </issueManagement>
+
+    <distributionManagement>
+        <site>
+            <id>apache.website</id>
+            <name>Apache Commons Site</name>
+            <url>scm:svn:https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-text/</url>
+        </site>
+    </distributionManagement>
+
+    <profiles>
+        <profile>
+            <id>setup-checkout</id>
+            <activation>
+                <file>
+                    <missing>site-content</missing>
+                </file>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-antrun-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>prepare-checkout</id>
+                                <goals>
+                                    <goal>run</goal>
+                                </goals>
+                                <phase>pre-site</phase>
+                                <configuration>
+                                    <target>
+                                        <exec executable="svn">
+                                            <arg line="checkout --depth immediates ${commons.scmPubUrl} ${commons.scmPubCheckoutDirectory}"/>
+                                        </exec>
+                                        <exec executable="svn">
+                                            <arg line="update --set-depth exclude ${commons.scmPubCheckoutDirectory}/javadocs"/>
+                                        </exec>
+                                        <pathconvert pathsep=" " property="dirs">
+                                            <dirset dir="${commons.scmPubCheckoutDirectory}" includes="*"/>
+                                        </pathconvert>
+                                        <exec executable="svn">
+                                            <arg line="update --set-depth infinity ${dirs}"/>
+                                        </exec>
+                                    </target>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <id>java9+</id>
+            <activation>
+                <jdk>[9,)</jdk>
+            </activation>
+            <properties>
+                <!-- coverall version 4.3.0 does not work with java 9+, see https://github.com/trautonen/coveralls-maven-plugin/issues/112 -->
+                <coveralls.skip>true</coveralls.skip>
+            </properties>
+        </profile>
+        <profile>
+            <id>benchmark</id>
+            <properties>
+                <skipTests>true</skipTests>
+                <benchmark>org.apache</benchmark>
+            </properties>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>exec-maven-plugin</artifactId>
+                        <version>3.1.0</version>
+                        <executions>
+                            <execution>
+                                <id>benchmark</id>
+                                <phase>test</phase>
+                                <goals>
+                                    <goal>exec</goal>
+                                </goals>
+                                <configuration>
+                                    <classpathScope>test</classpathScope>
+                                    <executable>java</executable>
+                                    <arguments>
+                                        <argument>-classpath</argument>
+                                        <classpath/>
+                                        <argument>org.openjdk.jmh.Main</argument>
+                                        <argument>-rf</argument>
+                                        <argument>json</argument>
+                                        <argument>-rff</argument>
+                                        <argument>target/jmh-result.${benchmark}.json</argument>
+                                        <argument>${benchmark}</argument>
+                                    </arguments>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+</project>
\ No newline at end of file
diff --git a/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml b/syft/pkg/cataloger/java/test-fixtures/pom/local/example-java-app-maven/pom.xml
similarity index 100%
rename from syft/pkg/cataloger/java/test-fixtures/pom/pom.xml
rename to syft/pkg/cataloger/java/test-fixtures/pom/local/example-java-app-maven/pom.xml
diff --git a/syft/pkg/cataloger/java/test-fixtures/pom/relative/parent-1/pom.xml b/syft/pkg/cataloger/java/test-fixtures/pom/local/parent-1/pom.xml
similarity index 98%
rename from syft/pkg/cataloger/java/test-fixtures/pom/relative/parent-1/pom.xml
rename to syft/pkg/cataloger/java/test-fixtures/pom/local/parent-1/pom.xml
index 69ff49eff0c..4a6d1f323c2 100644
--- a/syft/pkg/cataloger/java/test-fixtures/pom/relative/parent-1/pom.xml
+++ b/syft/pkg/cataloger/java/test-fixtures/pom/local/parent-1/pom.xml
@@ -9,7 +9,6 @@
         <relativePath>../parent-2/pom.xml</relativePath>
     </parent>
 
-    <groupId>my.org</groupId>
     <artifactId>parent-one</artifactId>
     <version>3.11.0</version>
     <packaging>pom</packaging>
diff --git a/syft/pkg/cataloger/java/test-fixtures/pom/relative/parent-2/pom.xml b/syft/pkg/cataloger/java/test-fixtures/pom/local/parent-2/pom.xml
similarity index 100%
rename from syft/pkg/cataloger/java/test-fixtures/pom/relative/parent-2/pom.xml
rename to syft/pkg/cataloger/java/test-fixtures/pom/local/parent-2/pom.xml