bug: stop reporting VSCode extensions as NPM packages

[willmurphyscode]

What happened:

For some images, if there are vscode extensions presents, these extensions leave a package.json that is shaped somewhat like NPM's package.json on the file system. Syft finds these package.jsons and reports them as NPM packages. However, they are not NPM packages; they are VS Code extensions.

What you expected to happen:

Syft should emit VS Code extension packages, or at least not emit NPM packages, for things that are clearly VS Code extensions.

Steps to reproduce the issue:

Note: this image is 1.3 GB and these repro steps are slowwww.

❯ syft -q gitlab/gitlab-ce:17.4.3-ce.0  | grep handlebars
handlebars                                                                   1.0.0                                                   npm                             
❯ syft -o json gitlab/gitlab-ce:17.4.3-ce.0 > gitlab.17.4.3-ce.0.syft.json
❯ cat gitlab.17.4.3-ce.0.syft.json| jq '.artifacts[] | select(.name == "handlebars") | .locations[] | .path'
"/opt/gitlab/embedded/service/gitlab-rails/public/assets/webpack/gitlab-vscode/0.0.1-dev-20240909013227/vscode/extensions/handlebars/package.json"
❯ docker run gitlab/gitlab-ce:17.4.3-ce.0 \
cat /opt/gitlab/embedded/service/gitlab-rails/public/assets/webpack/gitlab-vscode/0.0.1-dev-20240909013227/vscode/extensions/handlebars/package.json | \
jq .repository.url   
"https://github.com/microsoft/vscode.git"

So Syft is claiming that https://www.npmjs.com/package/handlebars is present at version 1.0.0 (which has a critical vuln), but really VS Code's builtin Handlebars Extension is present.

Anything else we need to know?:

• This was reported because it causes false positives in Grype because the handlebars VS Code extension has a lower version than the NPM handlebars package.
• Reported on discourse

Environment:

• Output of syft version:
• OS (e.g: cat /etc/os-release or similar):