SBOM many false positives

[ionimit]

What happened:
The SBOM scanner reported many false positive vulnerabilities
What you expected to happen:
Not to report false positives vulnerabilities
How to reproduce it (as minimally and precisely as possible):

Use the following SBOM, all findings are false positive:

poc-sbom.json

grype command:
grype.exe sbom:"C:\path\to\bom.json"

Anything else we need to know?:

The following are identified false positives:

• gen-mapping - GHSA-8rmg-jf7p-4p22 (actual package is @jridgewell/gen-mapping not gen-mapping)
• middleware-user-agent - GHSA-7jfr-mfm3-p4mh (actual package is @aws-sdk/middleware-user-agent not middleware-user-agent)
• node-config-provider - GHSA-p2f3-jr96-8rhf (actual package is @smithy/node-config-provider not node-config-provider)
• protocol-http - GHSA-p57r-cpw5-9h67 (actual package is @smithy/protocol-http not protocol-http)
• smithy-client - GHSA-xh9p-w3hh-pqp5 (actual package is @smithy/smithy-client not smithy-client)

Additional misidentified packages that leads to false positive results:

• @types/jose not jose
• @types/mime not mime
• @types/ms not ms
• @types/request not request
• @types/tough-cookie not tough-cookie
• @colors/colors not colors
• @types/debug not debug
• @types/ejs not ejs
• @types/cookiejar not cookiejar
• @types/jsonwebtoken not jsonwebtoken

Tool Output:

Environment:
Application: grype
Version: 0.89.1
BuildDate: 2025-03-13T20:22:27Z
GitCommit: 718ea30
GitDescription: v0.89.1
Platform: windows/amd64
GoVersion: go1.24.1
Compiler: gc
Syft Version: v1.20.0
Supported DB Schema: 6

[kzantow]

This appears to be due to not reading the group or using information from the purl to try to construct the best Syft package possible.