fix: sort invalid PURLs so they're properly compacted

Author: G-Rath

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -542,9 +542,8 @@ Scanning dir ./fixtures/sbom-insecure/
 Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 14 packages
 Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages
 Ignored 6 packages with invalid PURLs
-Ignored invalid PURL "pkg:pypi/"
-Ignored invalid PURL "pkg:///"
 Ignored invalid PURL "/"
+Ignored invalid PURL "pkg:///"
 Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2"
 Ignored invalid PURL "pkg:pypi/"
 Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages
@@ -698,9 +697,8 @@ No issues found
 [TestRun/one_specific_supported_sbom_with_invalid_PURLs - 1]
 Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml as CycloneDX SBOM and found 8 packages
 Ignored 6 packages with invalid PURLs
-Ignored invalid PURL "pkg:pypi/"
-Ignored invalid PURL "pkg:///"
 Ignored invalid PURL "/"
+Ignored invalid PURL "pkg:///"
 Ignored invalid PURL "pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2"
 Ignored invalid PURL "pkg:pypi/"
 No issues found

pkg/osvscanner/osvscanner.go

@@ -506,6 +506,7 @@ func scanSBOMFile(r reporter.Reporter, path string, fromFSScan bool) ([]scannedP
 					len(ignoredPURLs),
 					output.Form(len(ignoredPURLs), "package", "packages"),
 				)
+				slices.Sort(ignoredPURLs)
 				for _, purl := range slices.Compact(ignoredPURLs) {
 					r.Warnf(
 						"Ignored invalid PURL \"%s\"\n",