grype fails to scan a go binary built using go1.24

[xnox]

What happened:

Given this pulumi binary:

# syft /usr/bin/pulumi  | grep pulumi/pkg/v3
 ✔ Indexed file system                                                                                                                     /usr/bin/pulumi
 ✔ Cataloged contents                                                                     34581a5a7a042126717559e59c7817f65026ee2fdc977f2a5909bc55536f409b
   ├── ✔ Packages                        [212 packages]  
   ├── ✔ File digests                    [1 files]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ Executables                     [1 executables]  
github.com/pulumi/pulumi/pkg/v3                                              v3.152.0+incompatible+dirty            go-module    

grype on it fails with:

# grype /usr/bin/pulumi 
 ✔ Indexed file system                                                                                                                     /usr/bin/pulumi
 ✔ Cataloged contents                                                                     34581a5a7a042126717559e59c7817f65026ee2fdc977f2a5909bc55536f409b
   ├── ✔ Packages                        [212 packages]  
   ├── ✔ File digests                    [1 files]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ Executables                     [1 executables]  
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
[0002]  WARN could not match by package language (package=Pkg(type=go-module, name=github.com/pulumi/pulumi/pkg/v3, version=v3.152.0+incompatible+dirty, ups
No vulnerabilities found

What you expected to happen:

I expect grype to manage to scan that binary. Note that +incompatible+dirty are largely side-effects of go build processes.

How to reproduce it (as minimally and precisely as possible):

$ wget -O pulumi-3.152.0-r0.apk.tar.gz https://packages.wolfi.dev/os/x86_64/pulumi-3.152.0-r0.apk
$ grype pulumi-3.152.0-r0.apk.tar.gz
 ✔ Indexed file system                                                                                               /tmp/syft-archive-contents-2698617573
 ✔ Cataloged contents                                                                     e89677734f8f3392b4f38191417e75fef5c46be991b49e06b32360dc7f645419
   ├── ✔ Packages                        [212 packages]  
   ├── ✔ File digests                    [1 files]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ Executables                     [1 executables]  
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
[0003]  WARN could not match by package language (package=Pkg(type=go-module, name=github.com/pulumi/pulumi/pkg/v3, version=v3.152.0+incompatible+dirty, ups
No vulnerabilities found

There should be no warning.

If you want to build that go binary yourself, you can do:

1. git clone pulumi project
2. modify any file to make tree dirty
3. go get go@latest => to get go 1.24
4. build the binary in pkg/

Anything else we need to know?: we love grype

Full warning is visible with -v only as

[0002]  WARN could not match by package language (package=Pkg(type=go-module, name=github.com/pulumi/pulumi/pkg/v3, version=v3.152.0+incompatible+dirty, upstreams=0)): matcher failed to parse version pkg="github.com/pulumi/pulumi/pkg/v3" ver="v3.152.0+incompatible+dirty": Malformed version: v3.152.0+incompatible+dirty

Environment:

• Output of grype version: latest
• OS (e.g: cat /etc/os-release or similar): linux

[westonsteimel]

It appears to happen when there are multiple + in the version. If it is just +dirty or just +incompatible grype seems not to complain. So probably just a change needed to the go version formatter to allow multiple + sections