Today, when scanning a source repository, including resolving packages from Maven pom.xml, Syft uses the metadata type pkg.JavaArchive, which is not really representative of what was scanned. These could perhaps use JavaPomProject as the top-level metadata.

Additionally, the dependency scope is being captured in JavaPomProperties, which is not the correct spot for this information -- it should be part of the relationship, but this is not being tracked as any part of the relationship today.