fix: purl generation for pom.xml (#1078)

syft/pkg/cataloger/java/parse_pom_xml.go

@@ -63,6 +63,11 @@ func newPackageFromPom(dep gopom.Dependency) *pkg.Package {
 		Type:         pkg.JavaPkg, // TODO: should we differentiate between packages from jar/war/zip versus packages from a pom.xml that were not installed yet?
 		MetadataType: pkg.JavaMetadataType,
 		FoundBy:      javaPomCataloger,
+		Metadata: pkg.JavaMetadata{
+			PomProperties: &pkg.PomProperties{
+				GroupID: dep.GroupID,
+			},
+		},
 	}
 
 	p.Metadata = pkg.JavaMetadata{PURL: packageURL(*p)}

syft/pkg/cataloger/java/parse_pom_xml_test.go

@@ -26,7 +26,7 @@ func Test_parserPomXML(t *testing.T) {
 					Type:         pkg.JavaPkg,
 					MetadataType: pkg.JavaMetadataType,
 					Metadata: pkg.JavaMetadata{
-						PURL: "pkg:maven/joda-time/joda-time@2.9.2",
+						PURL: "pkg:maven/com.joda/joda-time@2.9.2",
 					},
 				},
 				{

syft/pkg/cataloger/java/test-fixtures/pom/pom.xml

@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>org.anchore</groupId>
@@ -16,7 +15,7 @@
 	<dependencies>
 		<!-- tag::joda[] -->
 		<dependency>
-			<groupId>joda-time</groupId>
+			<groupId>com.joda</groupId>
 			<artifactId>joda-time</artifactId>
 			<version>2.9.2</version>
 		</dependency>