diff --git a/grype/pkg/package.go b/grype/pkg/package.go
index 779483137997..0bba0bb5df9f 100644
--- a/grype/pkg/package.go
+++ b/grype/pkg/package.go
@@ -151,7 +151,7 @@ func excludePackage(p pkg.Package, parent pkg.Package) bool {
 
 func isOSPackage(p pkg.Package) bool {
 	switch p.Type {
-	case pkg.DebPkg, pkg.RpmPkg, pkg.ApkPkg:
+	case pkg.DebPkg, pkg.RpmPkg, pkg.PortagePkg, pkg.AlpmPkg:
 		return true
 	default:
 		return false
diff --git a/test/integration/compare_sbom_input_vs_lib_test.go b/test/integration/compare_sbom_input_vs_lib_test.go
index 4a82d1013ae7..c903f48a496d 100644
--- a/test/integration/compare_sbom_input_vs_lib_test.go
+++ b/test/integration/compare_sbom_input_vs_lib_test.go
@@ -72,10 +72,9 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 	)
 	observedPkgTypes := strset.New()
 	testCases := []struct {
-		name                 string
-		image                string
-		format               sbom.FormatID
-		allowedExtraPackages []string
+		name   string
+		image  string
+		format sbom.FormatID
 	}{
 		{
 			image:  "anchore/test_images:vulnerabilities-alpine",
@@ -156,20 +155,15 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 		},
 
 		{
-			image:                "anchore/test_images:npm",
-			format:               syft.SPDXJSONFormatID,
-			name:                 "npm-spdx-json",
-			allowedExtraPackages: []string{"GHSA-hj9c-8jmm-8c52-npm-7.17.0"}, // see note below
+			image:  "anchore/test_images:npm",
+			format: syft.SPDXJSONFormatID,
+			name:   "npm-spdx-json",
 		},
 
 		{
-			image:                "anchore/test_images:npm",
-			format:               syft.SPDXTagValueFormatID,
-			name:                 "npm-spdx-tag-value",
-			allowedExtraPackages: []string{"GHSA-hj9c-8jmm-8c52-npm-7.17.0"}, // npm itself is found
-			// both by the javascript cataloger and the APK cataloger, since it's installed
-			// as an apk package in this image. In Syft JSON, the we have enough information
-			// to prefer the APK cataloger, but in other formats, this information is lost.
+			image:  "anchore/test_images:npm",
+			format: syft.SPDXTagValueFormatID,
+			name:   "npm-spdx-tag-value",
 		},
 
 		{
@@ -256,16 +250,9 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 			// compare packages (shallow)
 			matchSetFromSbom := getMatchSet(matchesFromSbom)
 			matchSetFromImage := getMatchSet(matchesFromImage)
-			sbomButNotDirect := strset.Difference(matchSetFromSbom, matchSetFromImage)
-			directButNotSbom := strset.Difference(matchSetFromImage, matchSetFromSbom)
-
-			for _, allowed := range tc.allowedExtraPackages {
-				sbomButNotDirect.Remove(allowed)
-				directButNotSbom.Remove(allowed)
-			}
 
-			assert.Empty(t, sbomButNotDirect.List(), "vulnerabilities present only in results when using sbom as input")
-			assert.Empty(t, directButNotSbom.List(), "vulnerabilities present only in results when using image as input")
+			assert.Empty(t, strset.Difference(matchSetFromSbom, matchSetFromImage).List(), "vulnerabilities present only in results when using sbom as input")
+			assert.Empty(t, strset.Difference(matchSetFromImage, matchSetFromSbom).List(), "vulnerabilities present only in results when using image as input")
 
 			// track all covered package types (for use after the test)
 			for _, p := range pkgsFromSbom {