Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components

[jkugler]

What happened: Syft found two identical dependencies in two different conanfile.txt files found in the source tree. This generated two Components in the CycloneDX SBOM that are identical in every way except for their bom-ref and syft:location:0:path.

What you expected to happen: I would expect it would create one component and then generate multiple entries in the properties like so:

      "properties": [
        {
          "name": "syft:location:0:path",
          "value": "/path/to/first/conanfile.txt"
        },
        {
          "name": "syft:location:1:path",
          "value": "/path/to/second/conanfile.txt"
        }
      ]

Steps to reproduce the issue: Create two conanfile.txt files and put them in two different locations in your source tree, and add these contents:

[requires]
libtiff/4.1.0

Then run syft scan dir:source_dir/ --output cyclonedx-json=example.json

Anything else we need to know?: This is similar to https://github.com/anchore/syft/issues/1162 but has to do with source trees and not scanning docker containers

Environment:

• Output of syft version:

  ± syft version
  Application: syft
  Version:    1.15.0
  BuildDate:  2024-10-28T21:11:34Z
  GitCommit:  55cc1877ef246d8cabfd9bbeb0a8747b59c03431
  GitDescription: v1.15.0
  Platform:   darwin/arm64
  GoVersion:  go1.22.8
  Compiler:   gc

• OS (e.g: cat /etc/os-release or similar): MacOS 14.6.1

FYI: This issue was filed on behalf of Adobe.

[jkugler]

This may also be related to https://github.com/anchore/syft/issues/3131