From e56abe9d60b028c3cdb7e10050b93ccce54d120a Mon Sep 17 00:00:00 2001
From: Sambhav Kothari <skothari44@bloomberg.net>
Date: Thu, 24 Mar 2022 00:35:24 +0530
Subject: [PATCH 1/4] Ensure that all cyclonedx components have bom-refs

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
---
 .../formats/common/cyclonedxhelpers/component.go     | 12 +++++++++++-
 .../snapshot/TestCycloneDxDirectoryEncoder.golden    |  6 ++++--
 .../snapshot/TestCycloneDxImageEncoder.golden        |  6 ++++--
 .../snapshot/TestCycloneDxDirectoryEncoder.golden    |  8 ++++----
 .../snapshot/TestCycloneDxImageEncoder.golden        |  8 ++++----
 5 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/internal/formats/common/cyclonedxhelpers/component.go b/internal/formats/common/cyclonedxhelpers/component.go
index 949d6d004d0..b2feda339bb 100644
--- a/internal/formats/common/cyclonedxhelpers/component.go
+++ b/internal/formats/common/cyclonedxhelpers/component.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/CycloneDX/cyclonedx-go"
 
+	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/internal/formats/common"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/source"
@@ -25,7 +26,15 @@ func encodeComponent(p pkg.Package) cyclonedx.Component {
 	if len(props) > 0 {
 		properties = &props
 	}
-
+	bomRef := string(p.ID())
+	// try and parse the PURL if possible and append syft id to it, to make
+	// the purl unique in the BOM.
+	// TODO: In the future we may want to dedupe by PURL and combine components with
+	// the same PURL while preserving their unique metadata.
+	if parsedPURL, err := packageurl.FromString(p.PURL); err == nil {
+		parsedPURL.Qualifiers = append(parsedPURL.Qualifiers, packageurl.Qualifier{Key: "syft-id", Value: string(p.ID())})
+		bomRef = parsedPURL.ToString()
+	}
 	return cyclonedx.Component{
 		Type:               cyclonedx.ComponentTypeLibrary,
 		Name:               p.Name,
@@ -39,6 +48,7 @@ func encodeComponent(p pkg.Package) cyclonedx.Component {
 		Description:        encodeDescription(p),
 		ExternalReferences: encodeExternalReferences(p),
 		Properties:         properties,
+		BOMRef:             bomRef,
 	}
 }
 
diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
index 3063fdd1c8c..4be45232620 100644
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:498e659b-0758-4a7f-816e-91bee18df634",
+  "serialNumber": "urn:uuid:52ea85b5-01c5-475a-9aee-325ee67143af",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-03-08T12:30:39Z",
+    "timestamp": "2022-03-31T22:36:00+01:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -20,6 +20,7 @@
   },
   "components": [
     {
+      "bom-ref": "b85dbb4e6ece5082",
       "type": "library",
       "name": "package-1",
       "version": "1.0.1",
@@ -56,6 +57,7 @@
       ]
     },
     {
+      "bom-ref": "ceda99598967ae8d",
       "type": "library",
       "name": "package-2",
       "version": "2.0.1",
diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
index 62f5871eb4d..8914b19e81a 100644
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:342c3d2c-d26e-47b6-94d6-92fbf41da945",
+  "serialNumber": "urn:uuid:6374e6c2-1025-40e6-a7c6-24d7ee1f359e",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-03-08T12:30:39Z",
+    "timestamp": "2022-03-31T22:36:00+01:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -21,6 +21,7 @@
   },
   "components": [
     {
+      "bom-ref": "2a46171f91c8d4bc",
       "type": "library",
       "name": "package-1",
       "version": "1.0.1",
@@ -61,6 +62,7 @@
       ]
     },
     {
+      "bom-ref": "ae77680e9b1d087e",
       "type": "library",
       "name": "package-2",
       "version": "2.0.1",
diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
index 3e416a26e26..19442782787 100644
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:892f8304-0142-45b1-b411-cade3c53057f" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:ab54cd5c-d560-4220-8e4f-6a8bde43a3b7" version="1">
   <metadata>
-    <timestamp>2022-03-08T12:30:33Z</timestamp>
+    <timestamp>2022-03-31T22:36:09+01:00</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -14,7 +14,7 @@
     </component>
   </metadata>
   <components>
-    <component type="library">
+    <component bom-ref="b85dbb4e6ece5082" type="library">
       <name>package-1</name>
       <version>1.0.1</version>
       <licenses>
@@ -32,7 +32,7 @@
         <property name="syft:location:0:path">/some/path/pkg1</property>
       </properties>
     </component>
-    <component type="library">
+    <component bom-ref="ceda99598967ae8d" type="library">
       <name>package-2</name>
       <version>2.0.1</version>
       <cpe>cpe:2.3:*:some:package:2:*:*:*:*:*:*:*</cpe>
diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
index 5d1b9dae417..6428387d4c0 100644
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5fa94827-eb85-4f32-a62d-76fb6e89a2dd" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:63fa6027-5810-4bb4-9259-04c97fb94948" version="1">
   <metadata>
-    <timestamp>2022-03-08T12:30:33Z</timestamp>
+    <timestamp>2022-03-31T22:36:09+01:00</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -15,7 +15,7 @@
     </component>
   </metadata>
   <components>
-    <component type="library">
+    <component bom-ref="2a46171f91c8d4bc" type="library">
       <name>package-1</name>
       <version>1.0.1</version>
       <licenses>
@@ -34,7 +34,7 @@
         <property name="syft:location:0:path">/somefile-1.txt</property>
       </properties>
     </component>
-    <component type="library">
+    <component bom-ref="ae77680e9b1d087e" type="library">
       <name>package-2</name>
       <version>2.0.1</version>
       <cpe>cpe:2.3:*:some:package:2:*:*:*:*:*:*:*</cpe>

From 2c12d90a9b034518666da410713a4eda95c46b9a Mon Sep 17 00:00:00 2001
From: Alex Goodman <alex.goodman@anchore.com>
Date: Fri, 1 Apr 2022 11:56:43 -0400
Subject: [PATCH 2/4] put cyclonedx bom-ref derivation under test

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---
 .../common/cyclonedxhelpers/component.go      | 25 +++++----
 .../common/cyclonedxhelpers/component_test.go | 52 +++++++++++++++++++
 2 files changed, 67 insertions(+), 10 deletions(-)

diff --git a/internal/formats/common/cyclonedxhelpers/component.go b/internal/formats/common/cyclonedxhelpers/component.go
index b2feda339bb..d4f6606aeaf 100644
--- a/internal/formats/common/cyclonedxhelpers/component.go
+++ b/internal/formats/common/cyclonedxhelpers/component.go
@@ -26,15 +26,7 @@ func encodeComponent(p pkg.Package) cyclonedx.Component {
 	if len(props) > 0 {
 		properties = &props
 	}
-	bomRef := string(p.ID())
-	// try and parse the PURL if possible and append syft id to it, to make
-	// the purl unique in the BOM.
-	// TODO: In the future we may want to dedupe by PURL and combine components with
-	// the same PURL while preserving their unique metadata.
-	if parsedPURL, err := packageurl.FromString(p.PURL); err == nil {
-		parsedPURL.Qualifiers = append(parsedPURL.Qualifiers, packageurl.Qualifier{Key: "syft-id", Value: string(p.ID())})
-		bomRef = parsedPURL.ToString()
-	}
+
 	return cyclonedx.Component{
 		Type:               cyclonedx.ComponentTypeLibrary,
 		Name:               p.Name,
@@ -48,8 +40,21 @@ func encodeComponent(p pkg.Package) cyclonedx.Component {
 		Description:        encodeDescription(p),
 		ExternalReferences: encodeExternalReferences(p),
 		Properties:         properties,
-		BOMRef:             bomRef,
+		BOMRef:             deriveBomRef(p),
+	}
+}
+
+func deriveBomRef(p pkg.Package) string {
+	// try and parse the PURL if possible and append syft id to it, to make
+	// the purl unique in the BOM.
+	// TODO: In the future we may want to dedupe by PURL and combine components with
+	// the same PURL while preserving their unique metadata.
+	if parsedPURL, err := packageurl.FromString(p.PURL); err == nil {
+		parsedPURL.Qualifiers = append(parsedPURL.Qualifiers, packageurl.Qualifier{Key: "syft-id", Value: string(p.ID())})
+		return parsedPURL.ToString()
 	}
+	// fallback is to use strictly the ID if there is no valid pURL
+	return string(p.ID())
 }
 
 func hasMetadata(p pkg.Package) bool {
diff --git a/internal/formats/common/cyclonedxhelpers/component_test.go b/internal/formats/common/cyclonedxhelpers/component_test.go
index 4a6dc50518a..ab7f3b812bb 100644
--- a/internal/formats/common/cyclonedxhelpers/component_test.go
+++ b/internal/formats/common/cyclonedxhelpers/component_test.go
@@ -1,6 +1,7 @@
 package cyclonedxhelpers
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/CycloneDX/cyclonedx-go"
@@ -139,3 +140,54 @@ func Test_encodeComponentProperties(t *testing.T) {
 		})
 	}
 }
+
+func Test_deriveBomRef(t *testing.T) {
+	pkgWithPurl := pkg.Package{
+		Name:    "django",
+		Version: "1.11.1",
+		PURL:    "pkg:pypi/django@1.11.1",
+	}
+	pkgWithPurl.SetID()
+
+	pkgWithOutPurl := pkg.Package{
+		Name:    "django",
+		Version: "1.11.1",
+		PURL:    "",
+	}
+	pkgWithOutPurl.SetID()
+
+	pkgWithBadPurl := pkg.Package{
+		Name:    "django",
+		Version: "1.11.1",
+		PURL:    "pkg:pyjango@1.11.1",
+	}
+	pkgWithBadPurl.SetID()
+
+	tests := []struct {
+		name string
+		pkg  pkg.Package
+		want string
+	}{
+		{
+			name: "use pURL-id hybrid",
+			pkg:  pkgWithPurl,
+			want: fmt.Sprintf("pkg:pypi/django@1.11.1?syft-id=%s", pkgWithPurl.ID()),
+		},
+		{
+			name: "fallback to ID when pURL is invalid",
+			pkg:  pkgWithBadPurl,
+			want: string(pkgWithBadPurl.ID()),
+		},
+		{
+			name: "fallback to ID when pURL is missing",
+			pkg:  pkgWithOutPurl,
+			want: string(pkgWithOutPurl.ID()),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.pkg.ID()
+			assert.Equal(t, tt.want, deriveBomRef(tt.pkg))
+		})
+	}
+}

From adaafaa435c71de79d278765c298065363e4d250 Mon Sep 17 00:00:00 2001
From: Alex Goodman <alex.goodman@anchore.com>
Date: Fri, 1 Apr 2022 11:58:28 -0400
Subject: [PATCH 3/4] update common formats fixture to have valid pURL

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---
 internal/formats/common/testutils/utils.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/formats/common/testutils/utils.go b/internal/formats/common/testutils/utils.go
index 809889456cb..b1004d506fb 100644
--- a/internal/formats/common/testutils/utils.go
+++ b/internal/formats/common/testutils/utils.go
@@ -169,7 +169,7 @@ func populateImageCatalog(catalog *pkg.Catalog, img *image.Image) {
 			Name:    "package-1",
 			Version: "1.0.1",
 		},
-		PURL: "a-purl-1",
+		PURL: "a-purl-1", // intentionally a bad pURL for test fixtures
 		CPEs: []pkg.CPE{
 			pkg.MustCPE("cpe:2.3:*:some:package:1:*:*:*:*:*:*:*"),
 		},
@@ -187,7 +187,7 @@ func populateImageCatalog(catalog *pkg.Catalog, img *image.Image) {
 			Package: "package-2",
 			Version: "2.0.1",
 		},
-		PURL: "a-purl-2",
+		PURL: "pkg:deb/debian/package-2@2.0.1",
 		CPEs: []pkg.CPE{
 			pkg.MustCPE("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"),
 		},
@@ -249,7 +249,7 @@ func newDirectoryCatalog() *pkg.Catalog {
 				},
 			},
 		},
-		PURL: "a-purl-2",
+		PURL: "a-purl-2", // intentionally a bad pURL for test fixtures
 		CPEs: []pkg.CPE{
 			pkg.MustCPE("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"),
 		},
@@ -267,7 +267,7 @@ func newDirectoryCatalog() *pkg.Catalog {
 			Package: "package-2",
 			Version: "2.0.1",
 		},
-		PURL: "a-purl-2",
+		PURL: "pkg:deb/debian/package-2@2.0.1",
 		CPEs: []pkg.CPE{
 			pkg.MustCPE("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"),
 		},

From 17a764a91a8b689c586fc0ba9f9cc640f0c821ba Mon Sep 17 00:00:00 2001
From: Alex Goodman <alex.goodman@anchore.com>
Date: Fri, 1 Apr 2022 11:58:46 -0400
Subject: [PATCH 4/4] update all format snapshots with valid pURL examples

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---
 .../TestCycloneDxDirectoryEncoder.golden      |   8 ++++----
 .../snapshot/TestCycloneDxImageEncoder.golden |  14 +++++++-------
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 15360 bytes
 .../TestCycloneDxDirectoryEncoder.golden      |   8 ++++----
 .../snapshot/TestCycloneDxImageEncoder.golden |  14 +++++++-------
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 15360 bytes
 .../TestSPDXJSONDirectoryEncoder.golden       |   6 +++---
 .../snapshot/TestSPDXJSONImageEncoder.golden  |   6 +++---
 .../TestSPDXTagValueDirectoryEncoder.golden   |   6 +++---
 .../TestSPDXTagValueImageEncoder.golden       |   6 +++---
 .../snapshot/TestDirectoryEncoder.golden      |   2 +-
 .../snapshot/TestImageEncoder.golden          |   2 +-
 12 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
index 4be45232620..69b562d973e 100644
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:52ea85b5-01c5-475a-9aee-325ee67143af",
+  "serialNumber": "urn:uuid:dec3f6b4-8458-48bb-b60d-dfd312f6ec4e",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-03-31T22:36:00+01:00",
+    "timestamp": "2022-04-01T11:48:04-04:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -57,12 +57,12 @@
       ]
     },
     {
-      "bom-ref": "ceda99598967ae8d",
+      "bom-ref": "pkg:deb/debian/package-2@2.0.1?syft-id=ceda99598967ae8d",
       "type": "library",
       "name": "package-2",
       "version": "2.0.1",
       "cpe": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*",
-      "purl": "a-purl-2",
+      "purl": "pkg:deb/debian/package-2@2.0.1",
       "properties": [
         {
           "name": "syft:package:foundBy",
diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
index 8914b19e81a..14478f6c8dd 100644
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:6374e6c2-1025-40e6-a7c6-24d7ee1f359e",
+  "serialNumber": "urn:uuid:054d973e-fe99-4762-92e4-eaf01997ae41",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-03-31T22:36:00+01:00",
+    "timestamp": "2022-04-01T11:48:04-04:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -13,7 +13,7 @@
       }
     ],
     "component": {
-      "bom-ref": "711095b1cdf90cce",
+      "bom-ref": "e777314b02b362e4",
       "type": "container",
       "name": "user-image-input",
       "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
@@ -53,7 +53,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab"
+          "value": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59"
         },
         {
           "name": "syft:location:0:path",
@@ -62,12 +62,12 @@
       ]
     },
     {
-      "bom-ref": "ae77680e9b1d087e",
+      "bom-ref": "pkg:deb/debian/package-2@2.0.1?syft-id=ae77680e9b1d087e",
       "type": "library",
       "name": "package-2",
       "version": "2.0.1",
       "cpe": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*",
-      "purl": "a-purl-2",
+      "purl": "pkg:deb/debian/package-2@2.0.1",
       "properties": [
         {
           "name": "syft:package:foundBy",
@@ -83,7 +83,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67"
+          "value": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec"
         },
         {
           "name": "syft:location:0:path",
diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index c483fa49b75941b2cfb6a6819ff94a681f25ee41..5b5b8030509a612ac6c0d1e630d5a86b6f232f65 100644
GIT binary patch
literal 15360
zcmeHOS#R4$5Y}^lh04C#(%!oi(1$cOkN`nlByI{cFpRxuvzADKqyig;|9gj$EK5pa
z#wH~=?GggC=WzBL4tI_v#?Cq6Of0-qNy3oA%1In^$C;+u8t*VgQrp-moJh@}kT~j;
zk_i=*4SUTOLJUdHduVZO|JSWO%m|W<QdW;6h+*36^JdcRN6gAf7r;_mO52NTOK(r}
zaa;L+JbwS-?aA+tv5PQ5g0XG6-`4>-x+Q<iIPUdZ%j7Yp?)(1l@*nI4<$JWl{|iH)
zwf_H8=2^p<8uTA?EVlI@ww$2<4X}37eH*1N8bxg%gXkcd>cVFg&@vJX2t^PzT*a0%
z&z*4^V<9Bvh!I7Z1KUCwjx;ySlbBOOBvG-n#5e-9Y~gj~YsLs7<PgzAgikRap?E~;
zKmiFX_}}%wJgan?`QjW(NqP~DZlgDOS!H_SVK$67$|o@3q5fy-i$%|?s?zrIL*>#e
z8YOyM`h#fImd{`*+l{_}smsRG>Sk3wnfh##&b)S#Szuy0{y6&_jk4Kzd=R~!z{(cI
zw-bG_Wb|V`o=tpt-}6^qT&3B?QM%;zIID`AX`a>)FXo<Pzs=I|iqt!8{CGM2ZjQ{$
z$KzA<$E(vfzYb?*F&yVskB6m6v(Z|8Rek7~H!Z4AjLx0|=n$Tary{Bgdzn_=R<oiO
znVvYofJ_dUN8>b`T}OAFsN`OWv{n4!Sl{?!P}|Voyc*vB>`VKf5F*0+|C@kz*iq&a
zpQK}dNCwq))gj?EQVsG);P1iykBGpSa4dTWV@bpQzlPxMiVNBI>wOe<@ABu}-6>EG
z2m}NI0s(=SgaE{N6GJW0%n_nkOf5Hvv&373A@&;+OO0mQ3WkZ25b*VhB~)VY>jc6+
z9(3UU6Z%E`4?!3>#Q*m2pxj2^aBCj?>AC0Hk*Bud)z(hfh7()6t>5eUU#4Z17vO_`
zx^0?-2t$<4!vzcK=LY6Qua1uTbMpt+rf+|^GKClQU;3tYudmVy*tGd%vW#vl8wW18
zSH7qT3_hdi?x2y4wW!5c*_d14Yium)Ph<nU;WdZ!AS&{_O29+CjjEez?Y7SSwGx)(
z(j+-g9rS&Q%1ceS7$rs+@2!#C&^TenC`_G6u#}#IvOC9}Gt`UN7{;x4-biJI6y9Sa
zHIISnk`l!+M1Pd^f)P%&l7>@im3Ii+1Pp%ek%yd;^3Z{W2fLp_7)U~avBY^Bo!$L_
z&h#Giwd-574c6@>|A!%4$U^?FYgvDdUTgX9B>#s5CSm{on!LJh!y*6IHKacjz1I5Q
z-u_2|;H~^0VsKm_*#CQYl9u_uwvRz=BCjlW97_ZVyE<ow&}jY(xw^-4b!!&;zOCN2
zg5OR42U8K^|9jB>UT@Rs-OVkV^FQ_ZkIno~c>nK47TZ)Sh@;G-ApJ{SuF^o;qe49(
z5D*9m1O)zT2uyUACcdn`Cy(>owKwhmoYS?l;AnpSBgB86i}uszLH6YJ^5kUHNiGmP
z!S{ZepX!T6W})(h&r6$6{b7<`*JtMr)B4ckVVO>*V?R<H31K-#N*U*fWbl!RihUe=
z_-rIbiGW@fdr6YS#+*wet%HPtN{}Z6l9l!OzjyT+wE6A2b7x>3-JOktbjI0FPZP|Z
zMi(HfGKEZ9>dRf-vPu8R!?!{8S2VT$3lZYKyAsC+-P@>a(9k+}*jh<DIAMNw_cAqT
R1I|zh2m}NI0zV7_{{rj&itzvd

literal 15360
zcmeHOZExE)5ccQ&3Xl7m*nFpCU>~xkKnoO0(Pka6pa>|wBwB6BkmRC4kpI4u>^N?+
zMoXlq8A`!`M3Fq5?szos;UhwsawN7!<0N9<D2!EN1vQKsOJbs=h%qH`94TR#*RinF
zTE?7<9rKZ&j@l25IaWf9@cOuYuJ4WrCxS@Hm{cQ7F~NK^7VV<Dw^)^xE<mNOl5W3T
zS9t^VCtdyj;pMycuaADePhIdPmYm=A`*j&C$8Pzb5Kc$q&OW(Msq4BQ-T#w8tbA?l
zaDHYM=p6rlmwDFmPHpioDY+H@SSgtQ2N{_^c>G_Y)S?;cIt<VrGKJHXYlOuL?_&bL
zV~l6b@2|Q+o>e-{TyY9lK0QOTOY|x)t4uE(r~oYv^93}xDgRNrVqJ4kRoa}tuWXv3
znb-5u?V;_xd{y1O=?dt&X?a{-Y_E@&F8f+eQ##5FD6wh(GW(2X*=j!DLoXKaM(fMh
z3w^dx^g}*hEnInB^JiXsO0%=WbffLdtST;+d76P<>%K?XZ>w~^74=3ZZocV$wTE)J
zMDsLTeL+_(vD9~USI1B1`oa~HdJXl>qb2_N-Sr<)M1}bOra^nGDD#E$>D=v;N%f`b
zQSgqa7XM>R<#ztZoQyCbip${t9TPs;Wp$pG<9Yy$&viMjr)ZZ|<&!-w2o4qq76=vy
z7I-EWkXR;>QJOjuMLGc>kW#?ll#rO}NXN`L>ZPLE8N%UAW9PMHF&D;L?a342f1pFa
z|ArVMo&Enb_#X}V{}A3EjYz=%hB5RreM;x}?~eb~8$a9pZ@vFR2n+cCAR}gj|8*S(
z0NyQi0jXo(SR#eZ$9+O;ERoO|VKdGq91|839x%oGFvb4`#(IL@9vr{=b-F5x={z@j
zJ}r|po9&dh#hZ%e*18Cn=;LER+9?d!hoZE)Fz0FIOtmU%7+5c?<RIodg10@)5M2ZR
zY4Bf)1qt|H5AJOhvBiJs_r!m1_#a#RH~7ERcYQQyuz$J*et+&mW{?pq5G)WZ5G?Tg
zEf7n}lL!bK+)|)-3NJ~*sbVU&L{Y0vOf0~|0!M~hWt~>qS?n;^+;|qdNe}ryWq0_0
zkoJZ3-w>nc5`81Bxyc_JHcU^M+E+}OItlxV7z0$88x~PZ<`4VURbBwE=j5`b6XQ%W
zP8+yj%~3i{pdUIoJZyHp*VKpcbh{L8s1V~{#z{@t`IJ_mrpXtJHM((qb7FJz$rbhb
zY4RDPtGzZgc2SFeRijyf@2IgZKTr+GhIbOuJyhg*<$+#wiK>fbowhc7of2Njrrw{X
z7V1t=d9JCDGa{Yjf)fuEZ!cmUW58LAQ%MqO4+X-!vP>~g2^KbrJhO~Sl_=`4OLPKK
zH<GNAhBD!mbeeJ#3Cx_qQ3S9J7m2V^M~U?j<uPzQoQ-Uh;6(a_xx{hUZ$clhhGs$y
z5pB=!84I1I-j&sVna3ZieH;Hr2)4ro#|{67g!%um=6+B=m_1)?*qEr7wE)Zk@7yv!
z)@SRPrE-PKOOr3%zE8i@*x7zs6Djx0bg`Vf8B7gQ8bM%kNUVi@Kd*EYyEu06*+`7N
zgjyauMZGt%5DF_}C2UrE>?k!Nsqw!zH3zYITz_;%c#r<DF__Li{`4Tf4Ar;*UzI8R
zlcw&;SYK`NPj9{rs=uPC<6p`U|AP#HOH{T*XuWpm9Hg_(!Gx}^o@WFN;->JBV1ZzP
JV1eE(@DIZvjQs!r

diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
index 19442782787..b75e0c629dd 100644
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:ab54cd5c-d560-4220-8e4f-6a8bde43a3b7" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:554fd820-210b-40c8-8c0b-75690274e21c" version="1">
   <metadata>
-    <timestamp>2022-03-31T22:36:09+01:00</timestamp>
+    <timestamp>2022-04-01T11:57:46-04:00</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -32,11 +32,11 @@
         <property name="syft:location:0:path">/some/path/pkg1</property>
       </properties>
     </component>
-    <component bom-ref="ceda99598967ae8d" type="library">
+    <component bom-ref="pkg:deb/debian/package-2@2.0.1?syft-id=ceda99598967ae8d" type="library">
       <name>package-2</name>
       <version>2.0.1</version>
       <cpe>cpe:2.3:*:some:package:2:*:*:*:*:*:*:*</cpe>
-      <purl>a-purl-2</purl>
+      <purl>pkg:deb/debian/package-2@2.0.1</purl>
       <properties>
         <property name="syft:package:foundBy">the-cataloger-2</property>
         <property name="syft:package:metadataType">DpkgMetadata</property>
diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
index 6428387d4c0..a82e85c7f45 100644
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:63fa6027-5810-4bb4-9259-04c97fb94948" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:1535f940-172f-4d97-8280-d5a5764d1557" version="1">
   <metadata>
-    <timestamp>2022-03-31T22:36:09+01:00</timestamp>
+    <timestamp>2022-04-01T11:57:46-04:00</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -9,7 +9,7 @@
         <version>[not provided]</version>
       </tool>
     </tools>
-    <component bom-ref="711095b1cdf90cce" type="container">
+    <component bom-ref="e777314b02b362e4" type="container">
       <name>user-image-input</name>
       <version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version>
     </component>
@@ -30,20 +30,20 @@
         <property name="syft:package:language">python</property>
         <property name="syft:package:metadataType">PythonPackageMetadata</property>
         <property name="syft:package:type">python</property>
-        <property name="syft:location:0:layerID">sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab</property>
+        <property name="syft:location:0:layerID">sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59</property>
         <property name="syft:location:0:path">/somefile-1.txt</property>
       </properties>
     </component>
-    <component bom-ref="ae77680e9b1d087e" type="library">
+    <component bom-ref="pkg:deb/debian/package-2@2.0.1?syft-id=ae77680e9b1d087e" type="library">
       <name>package-2</name>
       <version>2.0.1</version>
       <cpe>cpe:2.3:*:some:package:2:*:*:*:*:*:*:*</cpe>
-      <purl>a-purl-2</purl>
+      <purl>pkg:deb/debian/package-2@2.0.1</purl>
       <properties>
         <property name="syft:package:foundBy">the-cataloger-2</property>
         <property name="syft:package:metadataType">DpkgMetadata</property>
         <property name="syft:package:type">deb</property>
-        <property name="syft:location:0:layerID">sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67</property>
+        <property name="syft:location:0:layerID">sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec</property>
         <property name="syft:location:0:path">/somefile-2.txt</property>
         <property name="syft:metadata:installedSize">0</property>
       </properties>
diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index c483fa49b75941b2cfb6a6819ff94a681f25ee41..5b5b8030509a612ac6c0d1e630d5a86b6f232f65 100644
GIT binary patch
literal 15360
zcmeHOS#R4$5Y}^lh04C#(%!oi(1$cOkN`nlByI{cFpRxuvzADKqyig;|9gj$EK5pa
z#wH~=?GggC=WzBL4tI_v#?Cq6Of0-qNy3oA%1In^$C;+u8t*VgQrp-moJh@}kT~j;
zk_i=*4SUTOLJUdHduVZO|JSWO%m|W<QdW;6h+*36^JdcRN6gAf7r;_mO52NTOK(r}
zaa;L+JbwS-?aA+tv5PQ5g0XG6-`4>-x+Q<iIPUdZ%j7Yp?)(1l@*nI4<$JWl{|iH)
zwf_H8=2^p<8uTA?EVlI@ww$2<4X}37eH*1N8bxg%gXkcd>cVFg&@vJX2t^PzT*a0%
z&z*4^V<9Bvh!I7Z1KUCwjx;ySlbBOOBvG-n#5e-9Y~gj~YsLs7<PgzAgikRap?E~;
zKmiFX_}}%wJgan?`QjW(NqP~DZlgDOS!H_SVK$67$|o@3q5fy-i$%|?s?zrIL*>#e
z8YOyM`h#fImd{`*+l{_}smsRG>Sk3wnfh##&b)S#Szuy0{y6&_jk4Kzd=R~!z{(cI
zw-bG_Wb|V`o=tpt-}6^qT&3B?QM%;zIID`AX`a>)FXo<Pzs=I|iqt!8{CGM2ZjQ{$
z$KzA<$E(vfzYb?*F&yVskB6m6v(Z|8Rek7~H!Z4AjLx0|=n$Tary{Bgdzn_=R<oiO
znVvYofJ_dUN8>b`T}OAFsN`OWv{n4!Sl{?!P}|Voyc*vB>`VKf5F*0+|C@kz*iq&a
zpQK}dNCwq))gj?EQVsG);P1iykBGpSa4dTWV@bpQzlPxMiVNBI>wOe<@ABu}-6>EG
z2m}NI0s(=SgaE{N6GJW0%n_nkOf5Hvv&373A@&;+OO0mQ3WkZ25b*VhB~)VY>jc6+
z9(3UU6Z%E`4?!3>#Q*m2pxj2^aBCj?>AC0Hk*Bud)z(hfh7()6t>5eUU#4Z17vO_`
zx^0?-2t$<4!vzcK=LY6Qua1uTbMpt+rf+|^GKClQU;3tYudmVy*tGd%vW#vl8wW18
zSH7qT3_hdi?x2y4wW!5c*_d14Yium)Ph<nU;WdZ!AS&{_O29+CjjEez?Y7SSwGx)(
z(j+-g9rS&Q%1ceS7$rs+@2!#C&^TenC`_G6u#}#IvOC9}Gt`UN7{;x4-biJI6y9Sa
zHIISnk`l!+M1Pd^f)P%&l7>@im3Ii+1Pp%ek%yd;^3Z{W2fLp_7)U~avBY^Bo!$L_
z&h#Giwd-574c6@>|A!%4$U^?FYgvDdUTgX9B>#s5CSm{on!LJh!y*6IHKacjz1I5Q
z-u_2|;H~^0VsKm_*#CQYl9u_uwvRz=BCjlW97_ZVyE<ow&}jY(xw^-4b!!&;zOCN2
zg5OR42U8K^|9jB>UT@Rs-OVkV^FQ_ZkIno~c>nK47TZ)Sh@;G-ApJ{SuF^o;qe49(
z5D*9m1O)zT2uyUACcdn`Cy(>owKwhmoYS?l;AnpSBgB86i}uszLH6YJ^5kUHNiGmP
z!S{ZepX!T6W})(h&r6$6{b7<`*JtMr)B4ckVVO>*V?R<H31K-#N*U*fWbl!RihUe=
z_-rIbiGW@fdr6YS#+*wet%HPtN{}Z6l9l!OzjyT+wE6A2b7x>3-JOktbjI0FPZP|Z
zMi(HfGKEZ9>dRf-vPu8R!?!{8S2VT$3lZYKyAsC+-P@>a(9k+}*jh<DIAMNw_cAqT
R1I|zh2m}NI0zV7_{{rj&itzvd

literal 15360
zcmeHOZExE)5ccQ&3Xl7m*nFpCU>~xkKnoO0(Pka6pa>|wBwB6BkmRC4kpI4u>^N?+
zMoXlq8A`!`M3Fq5?szos;UhwsawN7!<0N9<D2!EN1vQKsOJbs=h%qH`94TR#*RinF
zTE?7<9rKZ&j@l25IaWf9@cOuYuJ4WrCxS@Hm{cQ7F~NK^7VV<Dw^)^xE<mNOl5W3T
zS9t^VCtdyj;pMycuaADePhIdPmYm=A`*j&C$8Pzb5Kc$q&OW(Msq4BQ-T#w8tbA?l
zaDHYM=p6rlmwDFmPHpioDY+H@SSgtQ2N{_^c>G_Y)S?;cIt<VrGKJHXYlOuL?_&bL
zV~l6b@2|Q+o>e-{TyY9lK0QOTOY|x)t4uE(r~oYv^93}xDgRNrVqJ4kRoa}tuWXv3
znb-5u?V;_xd{y1O=?dt&X?a{-Y_E@&F8f+eQ##5FD6wh(GW(2X*=j!DLoXKaM(fMh
z3w^dx^g}*hEnInB^JiXsO0%=WbffLdtST;+d76P<>%K?XZ>w~^74=3ZZocV$wTE)J
zMDsLTeL+_(vD9~USI1B1`oa~HdJXl>qb2_N-Sr<)M1}bOra^nGDD#E$>D=v;N%f`b
zQSgqa7XM>R<#ztZoQyCbip${t9TPs;Wp$pG<9Yy$&viMjr)ZZ|<&!-w2o4qq76=vy
z7I-EWkXR;>QJOjuMLGc>kW#?ll#rO}NXN`L>ZPLE8N%UAW9PMHF&D;L?a342f1pFa
z|ArVMo&Enb_#X}V{}A3EjYz=%hB5RreM;x}?~eb~8$a9pZ@vFR2n+cCAR}gj|8*S(
z0NyQi0jXo(SR#eZ$9+O;ERoO|VKdGq91|839x%oGFvb4`#(IL@9vr{=b-F5x={z@j
zJ}r|po9&dh#hZ%e*18Cn=;LER+9?d!hoZE)Fz0FIOtmU%7+5c?<RIodg10@)5M2ZR
zY4Bf)1qt|H5AJOhvBiJs_r!m1_#a#RH~7ERcYQQyuz$J*et+&mW{?pq5G)WZ5G?Tg
zEf7n}lL!bK+)|)-3NJ~*sbVU&L{Y0vOf0~|0!M~hWt~>qS?n;^+;|qdNe}ryWq0_0
zkoJZ3-w>nc5`81Bxyc_JHcU^M+E+}OItlxV7z0$88x~PZ<`4VURbBwE=j5`b6XQ%W
zP8+yj%~3i{pdUIoJZyHp*VKpcbh{L8s1V~{#z{@t`IJ_mrpXtJHM((qb7FJz$rbhb
zY4RDPtGzZgc2SFeRijyf@2IgZKTr+GhIbOuJyhg*<$+#wiK>fbowhc7of2Njrrw{X
z7V1t=d9JCDGa{Yjf)fuEZ!cmUW58LAQ%MqO4+X-!vP>~g2^KbrJhO~Sl_=`4OLPKK
zH<GNAhBD!mbeeJ#3Cx_qQ3S9J7m2V^M~U?j<uPzQoQ-Uh;6(a_xx{hUZ$clhhGs$y
z5pB=!84I1I-j&sVna3ZieH;Hr2)4ro#|{67g!%um=6+B=m_1)?*qEr7wE)Zk@7yv!
z)@SRPrE-PKOOr3%zE8i@*x7zs6Djx0bg`Vf8B7gQ8bM%kNUVi@Kd*EYyEu06*+`7N
zgjyauMZGt%5DF_}C2UrE>?k!Nsqw!zH3zYITz_;%c#r<DF__Li{`4Tf4Ar;*UzI8R
zlcw&;SYK`NPj9{rs=uPC<6p`U|AP#HOH{T*XuWpm9Hg_(!Gx}^o@WFN;->JBV1ZzP
JV1eE(@DIZvjQs!r

diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
index 22f7729c7e3..3299321a589 100644
--- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@@ -3,7 +3,7 @@
  "name": "/some/path",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2022-03-30T21:48:28.297464Z",
+  "created": "2022-04-01T15:48:39.459232Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
@@ -11,7 +11,7 @@
   "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/dir/some/path-e188d59b-76f6-4c7f-a9f2-1ae7d0577781",
+ "documentNamespace": "https://anchore.com/syft/dir/some/path-8d335d81-29c9-4236-84f1-2292ea92aaf5",
  "packages": [
   {
    "SPDXID": "SPDXRef-b85dbb4e6ece5082",
@@ -48,7 +48,7 @@
     },
     {
      "referenceCategory": "PACKAGE_MANAGER",
-     "referenceLocator": "a-purl-2",
+     "referenceLocator": "pkg:deb/debian/package-2@2.0.1",
      "referenceType": "purl"
     }
    ],
diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
index 7e97a75fe97..42260c91d43 100644
--- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@@ -3,7 +3,7 @@
  "name": "user-image-input",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2022-03-30T21:48:28.303986Z",
+  "created": "2022-04-01T15:48:39.465643Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
@@ -11,7 +11,7 @@
   "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/image/user-image-input-9e4f4190-c5ae-4e31-a852-d1ab71357516",
+ "documentNamespace": "https://anchore.com/syft/image/user-image-input-e64e0be8-5031-4eec-842d-e59fb6deb518",
  "packages": [
   {
    "SPDXID": "SPDXRef-2a46171f91c8d4bc",
@@ -48,7 +48,7 @@
     },
     {
      "referenceCategory": "PACKAGE_MANAGER",
-     "referenceLocator": "a-purl-2",
+     "referenceLocator": "pkg:deb/debian/package-2@2.0.1",
      "referenceType": "purl"
     }
    ],
diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
index 7959c2f0d34..ba0ba4c69a6 100644
--- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: /some/path
-DocumentNamespace: https://anchore.com/syft/dir/some/path-71aa3553-1a73-405f-9f1f-6347d6d4593b
+DocumentNamespace: https://anchore.com/syft/dir/some/path-d227b0f2-4ee8-4e10-ac43-019db86d16ff
 LicenseListVersion: 3.16
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-[not provided]
-Created: 2022-03-30T21:48:22Z
+Created: 2022-04-01T15:48:44Z
 
 ##### Package: package-2
 
@@ -19,7 +19,7 @@ PackageLicenseConcluded: NONE
 PackageLicenseDeclared: NONE
 PackageCopyrightText: NOASSERTION
 ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:2:*:*:*:*:*:*:*
-ExternalRef: PACKAGE_MANAGER purl a-purl-2
+ExternalRef: PACKAGE_MANAGER purl pkg:deb/debian/package-2@2.0.1
 
 ##### Package: package-1
 
diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
index 4d9011b1cdd..f2e7d394f0e 100644
--- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-e46e20f4-43a4-40e7-9f82-fd55b8a89e5f
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-49f98c61-3418-4427-9e00-8b1c735e9799
 LicenseListVersion: 3.16
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-[not provided]
-Created: 2022-03-30T21:48:22Z
+Created: 2022-04-01T15:48:44Z
 
 ##### Package: package-2
 
@@ -19,7 +19,7 @@ PackageLicenseConcluded: NONE
 PackageLicenseDeclared: NONE
 PackageCopyrightText: NOASSERTION
 ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:2:*:*:*:*:*:*:*
-ExternalRef: PACKAGE_MANAGER purl a-purl-2
+ExternalRef: PACKAGE_MANAGER purl pkg:deb/debian/package-2@2.0.1
 
 ##### Package: package-1
 
diff --git a/internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden b/internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
index 71d089e1947..ae51ed71720 100644
--- a/internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
+++ b/internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
@@ -51,7 +51,7 @@
    "cpes": [
     "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"
    ],
-   "purl": "a-purl-2",
+   "purl": "pkg:deb/debian/package-2@2.0.1",
    "metadataType": "DpkgMetadata",
    "metadata": {
     "package": "package-2",
diff --git a/internal/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden b/internal/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
index a2f5673d096..10a5ced626f 100644
--- a/internal/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
+++ b/internal/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
@@ -48,7 +48,7 @@
    "cpes": [
     "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"
    ],
-   "purl": "a-purl-2",
+   "purl": "pkg:deb/debian/package-2@2.0.1",
    "metadataType": "DpkgMetadata",
    "metadata": {
     "package": "package-2",