Default for recently added base path, "", disables detection of symlinked *.jar files

[CLechleitner42]

What happened:

When using syft packages against a temp directory with symlinks to *.jar files syft 0.85 in Linux does not find any package unless option --base-path / is used.

I suggest to change the default base path from "" to "/" (for unix type systems), but @kzantow suggests "We probably need a broader discussion to change the behavior", see #1867 (comment)

What you expected to happen:

I expected syft to find all packages represented by those symlinked *.jar files.

Steps to reproduce the issue:

• create temp directory, say /tmp/foobar
• symlink one or more *.jar files there ("good" jar files, that syft usually can detect the maven coordinates and license of)
• perform somethink like syft packages /tmp/foobar -o cyclonedx-json --file syft-bom.cdx.json
• the generated .cdx.json file has no packages
• repeast command with --base-path / and you get a .cdx.json with the Maven package(s) listed

Anything else we need to know?:

• I wasn't sure between reporting a bug or a feature request, but with a new feature changing behaviour (and breaking the core function for certain situations) I went for bug.

Environment:

• Output of syft version:

Application:        syft
Version:            0.85.0
JsonSchemaVersion:  9.0.0
BuildDate:          2023-07-12T17:42:24Z
GitCommit:          4fc17edd146af34ab06f5b0443ef8ddac3aaf076
GitDescription:     v0.85.0
Platform:           linux/amd64
GoVersion:          go1.20.5
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian

Remark: We automatically download the latest syft_*_linux_amd64.deb (only if it has changed, wget -N) daily and distribute it internally via an internal-ish deb repository for 3rd party software.