fix: also compare PURL when sorting inventories (#1871)

#1865

Some inventories may have the same name and version but refer to
different packages (e.g. Maven packages with the same artifact IDs).
They may be considered as the same with the existing compare function
and deduped during scanning. This PR adds PURL comparison so that these
packages are not deduped unexpectedly.

Author: cuixq

internal/scalibrextract/invsort.go

@@ -15,11 +15,18 @@ func inventorySort(a, b *extractor.Package) int {
 	bLoc := fmt.Sprintf("%v", b.Locations)
 
 	var aExtr, bExtr string
+	var aPURL, bPURL string
 	if a.Extractor != nil {
 		aExtr = a.Extractor.Name()
+		if purl := a.Extractor.ToPURL(a); purl != nil {
+			aPURL = purl.String()
+		}
 	}
 	if b.Extractor != nil {
 		bExtr = b.Extractor.Name()
+		if purl := b.Extractor.ToPURL(b); purl != nil {
+			bPURL = purl.String()
+		}
 	}
 
 	aSourceCode := fmt.Sprintf("%v", a.SourceCode)
@@ -31,5 +38,6 @@ func inventorySort(a, b *extractor.Package) int {
 		cmp.Compare(a.Version, b.Version),
 		cmp.Compare(aSourceCode, bSourceCode),
 		cmp.Compare(aExtr, bExtr),
+		cmp.Compare(aPURL, bPURL),
 	)
 }