Stop iterating maps in catalogers

[willmurphyscode]

What happened:

We've seen a couple places in syft where we iterate over a map during cataloging. However, the order of map iteration in go is non-deterministic.

When iterating over a map with a range loop, the iteration order is not specified and is not guaranteed to be the same from one iteration to the next. If you require a stable iteration order you must maintain a separate data structure that specifies that order.

This is an overall tracking issue for places where syft catalogers accidentally assume that iterating over a map is deterministic. For example, sometimes we have a map and we iterate over it with a for loop looking for candidates that match some criteria. If more than one candidate matches the criteria, which candidate is selected will not be stable on repeated runs on syft with the same input, which can surprise users.

See #2170 for an example of fixing a narrow case of this behavior.

What you expected to happen:

Syft's output should be deterministic for a given input.

List of places we're iterating a map in syft at cataloging time

• syft/syft/pkg/cataloger/java/parse_java_manifest.go

  Lines 257 to 261 in 5d42a34

  	for _, section := range manifest.NamedSections {
  	if value := section[fieldName]; value != "" {
  	return value
  	}
  	}

• (add more)
• Add a linting rule to stop these