pkg.JavaArchive.PomProperties is being populated even though no pom.properties file was present for analysis

[wagoodman]

With #3853 we began creating pkg.JavaArchive.PomProperties metadata fields populated from the purl fields (groupid = namespace, artifactid = name). This is generally OK, however, can cause confusion when looking at only the syft json output for a package when the SBOM was decoded from any format into syft json: it makes it seem that we conclusively found a pom.properties file on disk during the analysis even though that's not necessarily true.

Even more confusing, if you take syft json output that does not have pkg.JavaArchive.PomProperties populated and you run syft convert -o json (the same format) the field is populated.

For this reason this PR makes a small alteration: we don't generate any pkg.JavaArchive.PomProperties from purl info.

However, we don't want to drop CycloneDX group information when it is present. It makes sense when encoding and decoding to use this pom properties field (as this is symmetric) when a cyclonedx property hints that the syft metadataType is JavaArchive. It doesn't make sense to make that same assumption when there are no syft specific properties (when the user is bringing their own CDX document). In this case the group information should already be encoded into the purl for the case of java, or if there is no PURL, syft now generates a PURL with the group encoded as the namespace (unless the purl type is empty or generic).

Downstream in grype a change will be needed to still derive the group ID and artifact ID from the PURL when it can't be found anywhere else.

Type of change

• Bug fix (non-breaking change which fixes an issue)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections