fix: add config option to exclude language packages with file ownership overlap

[kimjune01]

Closes #4760.

Cause

When OS packages (deb, apk, rpm) install language packages (Python, Ruby, npm, etc.) via system package managers, syft catalogs both the OS package and the language package. The file ownership overlap relationship exists between them, but there was no mechanism to deduplicate.

The existing exclude-binary-overlap-by-ownership option handles binary packages, but an equivalent for language packages was missing.

Fix

Adds exclude-language-overlap-by-ownership config option that removes language packages when they have a file ownership overlap relationship with an OS package. This mirrors the existing binary exclusion logic. The option defaults to false to avoid changing existing behavior.

The implementation follows the same pattern as ExcludeBinaryPackagesByFileOwnershipOverlap: iterate relationships, identify OS-parent/language-child pairs, and delete the child package.

Tests

Unit tests cover:

• OS → language package overlap (deb→python, apk→npm, rpm→ruby) — child removed
• Binary → language package overlap — both kept
• OS → OS overlap — both kept
• Language → language overlap — both kept

Signed-off-by: June Kim kimjune01@gmail.com

[kimjune01]

Pushed two test-only follow-ups (b4844d0, 64376c2): the original tests built pkg.Package literals without SetID(), so c.Package(r.From.ID()) returned nil and the assertion compared "" == "" — the suite passed without exercising the code under test. Added SetID() on the test packages and an assert.NotEqual(t, "", result) guard so the no-op can't recur. Verified by injecting a panic in the function body: pre-fix tests pass (proof of no-op), post-fix tests fail with the panic (proof of exercise).

[Dashtid]

The languageCatalogerTypes set covers 8 types but omits some commonly-distro-packaged language types — notably JavaPkg, GoModulePkg, RustPkg, and SwiftPkg. The same OS↔language overlap exists for these:

• Debian's golang-github-* packages install Go source that the Go cataloger also picks up
• Debian's rust-* packages install Rust source that the Rust cataloger also picks up
• libreoffice-java-common and similar install JARs that the Java cataloger reports

This could be intentional — e.g. Java/Go/Rust have different overlap semantics worth handling separately — or just an early-iteration scoping. If the latter, it might be worth either expanding the list to cover all language types, or codifying a criterion for inclusion (pkg.AllPkgs minus OS + binary + non-language types like GithubActionPkg/TerraformPkg/WordpressPluginPkg). Either way, a short comment on the slice explaining the inclusion rule would make the intent legible for future cataloger PRs that add new Types.

[kimjune01]

I derived the set from syft's own language-tagged catalogers instead of hand-listing. That adds the installed-package types below — but also excludes the binary/archive extractors, since deleting those on file-overlap loses real SBOM data. A guard test re-derives the set from capabilities.yaml and fails CI when a new language cataloger isn't classified.

types	decision	why
cocoapods, conan, dart-pub, hackage, hex, opam, php-pear, swift, swipl	added	OS overlap here means the distro repackaged the same unit, so dedup is safe
java-archive, go-module, rust-crate, dotnet, graalvm-native-image	excluded	these extract many components from one OS-owned binary/archive — the OS owns the container, not the components, so deleting drops distinct packages (an rpm owning a Go binary would erase its built-in modules)
php-pecl	kept (exception)	not language-tagged anymore (deprecated cataloger), but its packages still overlap until v2.0

Tradeoff: excluding whole types means safe go.mod/Cargo.lock overlaps won't be deduped either — better to under-delete than lose a real component.

Limits: the rule keys on pkg.Type, a coarse proxy. Some included types are lockfile-derived (cocoapods → Podfile.lock, swift → Package.resolved), so an OS package owning one of those manifests could over-delete declared deps — same issue, rarer. The precise fix is per-package installed-vs-declared evidence. Only unit-tested, not validated against real images for the new ecosystems. #4974 tracks the evidence-vs-type question plus a few tagging inconsistencies (php-pecl on a deprecated/untagged cataloger, nix as both OS and language, dotnet-deps-binary missing the binary selector go/rust carry).

[Dashtid]

The extractor-vs-installed split is the right framing; my initial cut missed it. Deriving the set from capabilities.yaml plus a guard test that catches unclassified additions is cleaner than the hand-listed alternative.

Spot-checked one #4974 item locally: LanguageByName at syft/pkg/language.go:71 returns UnknownLanguage for string(Rpkg) ("R-package"), string(LuaRocksPkg) ("lua-rocks"), and string(PhpPeclPkg) ("php-pecl") — the switch matches "r"/TypeCran, string(Lua)/TypeLuaRocks, and the PHP cases without PhpPeclPkg, so the const-value strings fall through. TestLanguageByName covers the lowercase input "r" but not string(Rpkg). Worth a narrow PR independent of the evidence-vs-type work.