Syft reports the wrong version of the go package from binary (F/P findings on Grype result)

[Dentrax]

What happened:

$ grype docker.io/mattermost/mattermost-enterprise-edition:9.7.1

github.com/mattermost/mattermost/server/v8  3.45.1

Where is the 3.45.1 value coming from?

$ syft docker.io/mattermost/mattermost-enterprise-edition:9.7.1

github.com/mattermost/mattermost/server/v8      3.45.1

go version -m all ./mattermost

path    github.com/mattermost/mattermost/server/v8/cmd/mattermost
  mod github.com/mattermost/mattermost/server/v8  (devel) 
  dep code.sajari.com/docconv/v2  v2.0.0-pre.4    h1:1yQrSTah9rMSC/s1T9bq2H2j1NuRTppeApqZf2A8Zbc=
  dep github.com/JalfResi/justext v0.0.0-20221106200834-be571e3e3052  h1:8T2zMbhLBbH9514PIQVHdsGhypMrsB4CxwbldKA9sBA=
  dep github.com/Masterminds/semver/v3    v3.2.1  h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
  dep github.com/PuerkitoBio/goquery  v1.9.0  h1:zgjKkdpRY9T97Q5DCtcXwfqkcylSFIVCocZmn2huTp8=
  dep github.com/RoaringBitmap/roaring    v1.9.0  h1:lwKhr90/j0jVXJyh5X+vQN1VVn77rQFfYnh6RDRGCcE=
  dep github.com/advancedlogic/GoOse  v0.0.0-20231203033844-ae6b36caf275  h1:Kuhf+w+ilOGoXaR4O4nZ6Dp+ZS83LdANUjwyMXsPGX4=
  dep github.com/andybalholm/brotli   v1.1.0  h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
  dep github.com/andybalholm/cascadia v1.3.2  h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
  dep github.com/araddon/dateparse    v0.0.0-20210429162001-6b43995a97de  h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
  dep github.com/avct/uasurfer    v0.0.0-20191028135549-26b5daa857f1  h1:9h8f71kuF1pqovnn9h7LTHLEjxzyQaj0j1rQq5nsMM4=
  dep github.com/aws/aws-sdk-go   v1.50.27    h1:96ifhrSuja+AzdP3W/T2337igqVQ2FcSIJYkk+0rCeA=
  dep github.com/aymerick/douceur v0.2.0  h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
  dep github.com/beorn7/perks v1.0.1  h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
  dep github.com/bits-and-blooms/bitset   v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
  dep github.com/bits-and-blooms/bloom/v3 v3.6.0  h1:dTU0OVLJSoOhz9m68FTXMFfA39nR8U/nTCs1zb26mOI=
  dep github.com/blang/semver/v4  v4.0.0  h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
  dep github.com/blevesearch/bleve/v2 v2.3.10 h1:z8V0wwGoL4rp7nG/O3qVVLYxUqCbEwskMt4iRJsPLgg=
  dep github.com/blevesearch/bleve_index_api  v1.1.6  h1:orkqDFCBuNU2oHW9hN2YEJmet+TE9orml3FCGbl1cKk=
  dep github.com/blevesearch/geo  v0.1.20 h1:paaSpu2Ewh/tn5DKn/FB5SzvH0EWupxHEIwbCk/QPqM=
  dep github.com/blevesearch/go-porterstemmer v1.0.3  h1:GtmsqID0aZdCSNiY8SkuPJ12pD4jI+DdXTAn4YRcHCo=
  dep github.com/blevesearch/gtreap   v0.1.1  h1:2JWigFrzDMR+42WGIN/V2p0cUvn4UP3C4Q5nmaZGW8Y=
  dep github.com/blevesearch/mmap-go  v1.0.4  h1:OVhDhT5B/M1HNPpYPBKIEJaD0F3Si+CrEKULGCDPWmc=
  dep github.com/blevesearch/scorch_segment_api/v2    v2.2.8  h1:+OLW38LuRKio6N6V0gIk1srwFz79FJ5v2sNqHz2HVAA=
  dep github.com/blevesearch/segment  v0.9.1  h1:+dThDy+Lvgj5JMxhmOVlgFfkUtZV2kw49xax4+jTfSU=
  dep github.com/blevesearch/snowballstem v0.9.0  h1:lMQ189YspGP6sXvZQ4WZ+MLawfV8wOmPoD/iWeNXm8s=
  dep github.com/blevesearch/upsidedown_store_api v1.0.2  h1:U53Q6YoWEARVLd1OYNc9kvhBMGZzVrdmaozG2MfoB+A=
  dep github.com/blevesearch/vellum   v1.0.10 h1:HGPJDT2bTva12hrHepVT3rOyIKFFF4t7Gf6yMxyMIPI=
  dep github.com/blevesearch/zapx/v11 v11.3.10    h1:hvjgj9tZ9DeIqBCxKhi70TtSZYMdcFn7gDb71Xo/fvk=
  dep github.com/blevesearch/zapx/v12 v12.3.10    h1:yHfj3vXLSYmmsBleJFROXuO08mS3L1qDCdDK81jDl8s=
  dep github.com/blevesearch/zapx/v13 v13.3.10    h1:0KY9tuxg06rXxOZHg3DwPJBjniSlqEgVpxIqMGahDE8=
  dep github.com/blevesearch/zapx/v14 v14.3.10    h1:SG6xlsL+W6YjhX5N3aEiL/2tcWh3DO75Bnz77pSwwKU=
  dep github.com/blevesearch/zapx/v15 v15.3.13    h1:6EkfaZiPlAxqXz0neniq35my6S48QI94W/wyhnpDHHQ=
  dep github.com/cespare/xxhash/v2    v2.2.0  h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
  dep github.com/davecgh/go-spew  v1.1.2-0.20180830191138-d8f796af33cc    h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
  dep github.com/dgryski/dgoogauth    v0.0.0-20190221195224-5a805980a5f3  h1:AqeKSZIG/NIC75MNQlPy/LM3LxfpLwahICJBHwSMFNc=
  dep github.com/dgryski/go-rendezvous    v0.0.0-20200823014737-9f7001d12a5f  h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
  dep github.com/disintegration/imaging   v1.6.2  h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
  dep github.com/dsnet/compress   v0.0.2-0.20210315054119-f66993602bf5    h1:iFaUwBSo5Svw6L7HYpRu/0lE3e0BaElwnNO1qkNQxBY=
  dep github.com/dustin/go-humanize   v1.0.1  h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
  dep github.com/dyatlov/go-opengraph/opengraph   v0.0.0-20220524092352-606d7b1e5f8a  h1:etIrTD8BQqzColk9nKRusM9um5+1q0iOEJLqfBMIK64=
  dep github.com/fatih/color  v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
  dep github.com/fatih/set    v0.2.1  h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA=
  dep github.com/felixge/httpsnoop    v1.0.4  h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
  dep github.com/francoispqt/gojay    v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk=
  dep github.com/fsnotify/fsnotify    v1.7.0  h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
  dep github.com/getsentry/sentry-go  v0.27.0 h1:Pv98CIbtB3LkMWmXi4Joa5OOcwbmnX88sF5qbK3r3Ps=
  dep github.com/gigawattio/window    v0.0.0-20180317192513-0f5467e35573  h1:u8AQ9bPa9oC+8/A/jlWouakhIvkFfuxgIIRjiy8av7I=
  dep github.com/go-asn1-ber/asn1-ber v1.5.5  h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
  dep github.com/go-resty/resty/v2    v2.11.0 h1:i7jMfNOJYMp69lq7qozJP+bjgzfAzeOhuGlyDrqxT/8=
  dep github.com/go-sql-driver/mysql  v1.7.1  h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
  dep github.com/golang-jwt/jwt/v5    v5.2.0  h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
  dep github.com/golang-migrate/migrate/v4    v4.17.0 h1:rd40H3QXU0AA4IoLllFcEAEo9dYKRHYND2gB4p7xcaU=
  dep github.com/golang/freetype  v0.0.0-20170609003504-e2365dfdc4a0  h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
  dep github.com/golang/geo   v0.0.0-20230421003525-6adc56603217  h1:HKlyj6in2JV6wVkmQ4XmG/EIm+SCYlPZ+V4GWit7Z+I=
  dep github.com/golang/protobuf  v1.5.3  h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
  dep github.com/golang/snappy    v0.0.4  h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
  dep github.com/google/uuid  v1.6.0  h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
  dep github.com/gorilla/css  v1.0.1  h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
  dep github.com/gorilla/handlers v1.5.2  h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
  dep github.com/gorilla/mux  v1.8.1  h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
  dep github.com/gorilla/schema   v1.2.1  h1:tjDxcmdb+siIqkTNoV+qRH2mjYdr2hHe5MKXbp61ziM=
  dep github.com/gorilla/websocket    v1.5.1  h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
  dep github.com/h2non/go-is-svg  v0.0.0-20160927212452-35e8c4b0612c  h1:fEE5/5VNnYUoBOj2I9TP8Jc+a7lge3QWn9DKE7NCwfc=
  dep github.com/hashicorp/errwrap    v1.1.0  h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
  dep github.com/hashicorp/go-hclog   v1.6.2  h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I=
  dep github.com/hashicorp/go-multierror  v1.1.1  h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
  dep github.com/hashicorp/go-plugin  v1.6.0  h1:wgd4KxHJTVGGqWBq4QPB1i5BZNEx9BR8+OFmHDmTk8A=
  dep github.com/hashicorp/golang-lru v1.0.2  h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
  dep github.com/hashicorp/yamux  v0.1.1  h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
  dep github.com/jaytaylor/html2text  v0.0.0-20230321000545-74c2419ad056  h1:iCHtR9CQyktQ5+f3dMVZfwD2KWJUgm7M0gdL9NGr8KA=
  dep github.com/jmespath/go-jmespath v0.4.0  h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
  dep github.com/jmoiron/sqlx v1.3.5  h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
  dep github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
  dep github.com/klauspost/compress   v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
  dep github.com/klauspost/cpuid/v2   v2.2.7  h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuVLDM=
  dep github.com/klauspost/pgzip  v1.2.6  h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
  dep github.com/lann/builder v0.0.0-20180802200727-47ae307949d0  h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
  dep github.com/lann/ps  v0.0.0-20150810152359-62de8c46ede0  h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
  dep github.com/ledongthuc/pdf   v0.0.0-20240201131950-da5b75280b06  h1:kacRlPN7EN++tVpGUorNGPn/4DnB7/DfTY82AOn6ccU=
  dep github.com/levigross/exp-html   v0.0.0-20120902181939-8df60c69a8f5  h1:W7p+m/AECTL3s/YR5RpQ4hz5SjNeKzZBl1q36ws12s0=
  dep github.com/lib/pq   v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
  dep github.com/mattermost/go-i18n   v1.11.1-0.20211013152124-5c415071e404   h1:Khvh6waxG1cHc4Cz5ef9n3XVCxRWpAKUtqg9PJl5+y8=
  dep github.com/mattermost/ldap  v0.0.0-20231116144001-0f480c025956  h1:Y1Tu/swM31pVwwb2BTCsOdamENjjWCI6qmfHLbk6OZI=
  dep github.com/mattermost/logr/v2   v2.0.21 h1:CMHsP+nrbRlEC4g7BwOk1GAnMtHkniFhlSQPXy52be4=
  dep github.com/mattermost/mattermost/server/public  (devel) 
  dep github.com/mattermost/morph v1.1.0  h1:Q9vrJbeM3s2jfweGheq12EFIzdNp9a/6IovcbvOQ6Cw=
  dep github.com/mattermost/rsc   v0.0.0-20160330161541-bbaefb05eaa0  h1:G9tL6JXRBMzjuD1kkBtcnd42kUiT6QDwxfFYu7adM6o=
  dep github.com/mattermost/squirrel  v0.4.0  h1:azf9LZ+8JUTAvwt/njB1utkPqWQ6e7Rje2ya5N0P2i4=
  dep github.com/mattn/go-colorable   v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
  dep github.com/mattn/go-isatty  v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
  dep github.com/mattn/go-runewidth   v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
  dep github.com/mholt/archiver/v3    v3.5.1  h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo=
  dep github.com/microcosm-cc/bluemonday  v1.0.26 h1:xbqSvqzQMeEHCqMi64VAs4d8uy6Mequs3rQ0k/Khz58=
  dep github.com/minio/md5-simd   v1.1.2  h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
  dep github.com/minio/minio-go/v7    v7.0.67 h1:BeBvZWAS+kRJm1vGTMJYVjKUNoo0FoEt/wUWdUtfmh8=
  dep github.com/minio/sha256-simd    v1.0.1  h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
  dep github.com/mitchellh/go-testing-interface   v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
  dep github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd  h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
  dep github.com/modern-go/reflect2   v1.0.2  h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
  dep github.com/ncruces/go-strftime  v0.1.9  h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
  dep github.com/nwaples/rardecode    v1.1.3  h1:cWCaZwfM5H7nAD6PyEdcVnczzV8i/JtotnyW/dD9lEc=
  dep github.com/oklog/run    v1.1.0  h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
  dep github.com/olekukonko/tablewriter   v0.0.5  h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
  dep github.com/oov/psd  v0.0.0-20220121172623-5db5eafcecbb  h1:JF9kOhBBk4WPF7luXFu5yR+WgaFm9L/KiHJHhU9vDwA=
  dep github.com/opentracing/opentracing-go   v1.2.0  h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
  dep github.com/pborman/uuid v1.2.1  h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
  dep github.com/pelletier/go-toml    v1.9.5  h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
  dep github.com/philhofer/fwd    v1.1.2  h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
  dep github.com/pierrec/lz4/v4   v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
  dep github.com/pkg/errors   v0.9.1  h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
  dep github.com/pmezard/go-difflib   v1.0.1-0.20181226105442-5d4384ee4fb2    h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
  dep github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
  dep github.com/prometheus/client_model  v0.6.0  h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
  dep github.com/prometheus/common    v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
  dep github.com/prometheus/procfs    v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
  dep github.com/redis/go-redis/v9    v9.5.1  h1:H1X4D3yHPaYrkL5X06Wh6xNVM/pX0Ft4RV0vMGvLBh8=
  dep github.com/reflog/dateconstraints   v0.2.1  h1:Hz1n2Q1vEm0Rj5gciDQcCN1iPBwfFjxUJy32NknGP/s=
  dep github.com/remyoudompheng/bigfft    v0.0.0-20230129092748-24d4a6f8daec  h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
  dep github.com/richardlehane/mscfb  v1.0.4  h1:WULscsljNPConisD5hR0+OyZjwK46Pfyr6mPu5ZawpM=
  dep github.com/richardlehane/msoleps    v1.0.3  h1:aznSZzrwYRl3rLKRT3gUk9am7T/mLNSnJINvN0AQoVM=
  dep github.com/rivo/uniseg  v0.4.7  h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
  dep github.com/rs/cors  v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo=
  dep github.com/rs/xid   v1.5.0  h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
  dep github.com/rudderlabs/analytics-go  v3.3.3+incompatible h1:OG0XlKoXfr539e2t1dXtTB+Gr89uFW+OUNQBVhHIIBY=
  dep github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd  h1:CmH9+J6ZSsIjUK3dcGsnCnO41eRBOnY12zwkn5qVwgc=
  dep github.com/segmentio/backo-go   v1.0.1  h1:68RQccglxZeyURy93ASB/2kc9QudzgIDexJ927N++y4=
  dep github.com/spf13/cobra  v1.8.0  h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
  dep github.com/spf13/pflag  v1.0.5  h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
  dep github.com/splitio/go-client/v6 v6.5.2  h1:iMJSb5lQYpHRknexZHKnKfW1Y5kFi86/xRIiPQ9jU04=
  dep github.com/splitio/go-split-commons/v5  v5.2.1  h1:h8Up3Jk6NFkHSYCj4Sr15uuoxQwFqPr3gn0G4vghM/8=
  dep github.com/splitio/go-toolkit/v5    v5.4.0  h1:g5WFpRhQomnXCmvfsNOWV4s5AuUrWIZ+amM68G8NBKM=
  dep github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf  h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
  dep github.com/stretchr/objx    v0.5.1  h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0=
  dep github.com/stretchr/testify v1.8.4  h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
  dep github.com/throttled/throttled  v2.2.5+incompatible h1:65UB52X0qNTYiT0Sohp8qLYVFwZQPDw85uSa65OljjQ=
  dep github.com/tidwall/gjson    v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U=
  dep github.com/tidwall/match    v1.1.1  h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
  dep github.com/tidwall/pretty   v1.2.1  h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
  dep github.com/tinylib/msgp v1.1.9  h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
  dep github.com/uber/jaeger-client-go    v2.30.0+incompatible    h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
  dep github.com/uber/jaeger-lib  v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
  dep github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
  dep github.com/vmihailenco/msgpack/v5   v5.4.1  h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
  dep github.com/vmihailenco/tagparser/v2 v2.0.0  h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
  dep github.com/wiggin77/merror  v1.0.5  h1:P+lzicsn4vPMycAf2mFf7Zk6G9eco5N+jB1qJ2XW3ME=
  dep github.com/wiggin77/srslog  v1.0.1  h1:gA2XjSMy3DrRdX9UqLuDtuVAAshb8bE1NhX1YK0Qe+8=
  dep github.com/xi2/xz   v0.0.0-20171230120015-48954b6210f8  h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
  dep github.com/xtgo/uuid    v0.0.0-20140804021211-a0b114877d4c  h1:3lbZUMbMiGUW/LMkfsEABsc5zNT9+b1CvsJx47JzJ8g=
  dep github.com/yuin/goldmark    v1.7.0  h1:EfOIvIMZIzHdB/R/zVrikYLPPwJlfMcNczJFMs1m6sA=
  dep go.etcd.io/bbolt    v1.3.9  h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
  dep go.uber.org/atomic  v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
  dep golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg=
  dep golang.org/x/exp    v0.0.0-20240222234643-814bf88cf225  h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ=
  dep golang.org/x/image  v0.15.0 h1:kOELfmgrmJlw4Cdb7g/QGuB3CvDrXbqEIww/pNtNBm8=
  dep golang.org/x/net    v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
  dep golang.org/x/sync   v0.6.0  h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
  dep golang.org/x/sys    v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
  dep golang.org/x/text   v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
  dep google.golang.org/genproto/googleapis/rpc   v0.0.0-20240227224415-6ceb2ff114de  h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
  dep google.golang.org/grpc  v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk=
  dep google.golang.org/protobuf  v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
  dep gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
  dep gopkg.in/mail.v2    v2.3.1  h1:WYFn/oANrAGP2C0dcV6/pbkPzv8yGzqTjPmTeO7qoXk=
  dep gopkg.in/natefinch/lumberjack.v2    v2.2.1  h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
  dep gopkg.in/yaml.v2    v2.4.0  h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
  dep gopkg.in/yaml.v3    v3.0.1  h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
  dep modernc.org/libc    v1.41.0 h1:g9YAc6BkKlgORsUWj+JwqoB1wU3o4DE3bM3yvA3k+Gk=
  dep modernc.org/mathutil    v1.6.0  h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
  dep modernc.org/memory  v1.7.2  h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
  dep modernc.org/sqlite  v1.29.2 h1:xgBSyA3gemwgP31PWFfFjtBorQNYpeypGdoSDjXhrgI=
  build   -buildmode=pie
  build   -compiler=gc
  build   -ldflags="-X \"github.com/mattermost/mattermost/server/public/model.BuildNumber=dev\" -X \"github.com/mattermost/mattermost/server/public/model.BuildDate=n/a\" -X \"github.com/mattermost/mattermost/server/public/model.BuildHash=6eb3d42f52be6d36ff6a931f2be44e3f7cdebe38\" -X \"github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none\" -X \"github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false\" -X \"github.com/mattermost/mattermost/server/public/model.MockCWS=false\" -X \"github.com/mattermost/mattermost/server/public/model.MattermostGiphySdkKey=\""
  build   -tags=sourceavailable,production
  build   -trimpath=true
  build   CGO_ENABLED=1
  build   GOARCH=amd64
  build   GOOS=linux
  build   GOAMD64=v1
  build   vcs=git
  build   vcs.revision=6eb3d42f52be6d36ff6a931f2be44e3f7cdebe38
  build   vcs.time=2024-05-23T18:41:33Z
  build   vcs.modified=true

Are those CVEs false-positives?

What you expected to happen:

Syft should mark that github.com/mattermost/mattermost/server/v8 dependency version as 8.x instead of ``3.45.1`?

trivy image docker.io/mattermost/mattermost-enterprise-edition:9.7.1 --scanners vuln

Trivy doesn't find github.com/mattermost/mattermost/server/v8 CVEs.

Steps to reproduce the issue:
See the commands above.

Anything else we need to know?:

Workaround is to set something like -X "main.Version=9.9.0".

Environment:

• Output of syft version: 1.7.0
• OS (e.g: cat /etc/os-release or similar): macOS

[popey]

Hi @Dentrax, thanks for the report on the issue.
I've reproduced it here.

syft docker.io/mattermost/mattermost-enterprise-edition:9.7.1 | grep 3.45.1
 ✔ Parsed image                                                                                                                                sha256:80ff40282191265fdc14fc4d3e36b10c508bce874a2f56cdcc46ff9461ca03ef
 ✔ Cataloged contents                                                                                                                                 fa86ca43154e0081c4722d2674c1d9c64d048aec6b9679aca38da64330186ab7
   ├── ✔ Packages                        [569 packages]
   ├── ✔ File digests                    [6,115 files]
   ├── ✔ File metadata                   [6,115 locations]
   └── ✔ Executables                     [883 executables]
github.com/mattermost/mattermost/server/v8      3.45.1                                   go-module  (+1 duplicate)

Not sure where it's getting that version from, but we'll take a look.

[wagoodman]

Today we try a variety of strategies to infer the main modules version (vcs info, ldflags, etc) but ultimately this might not result in any version. As a last ditch effort we attempt to look for semver-like strings within the binary, which can be brittle (as evidence of this issue). We can't wait for golang/go#50603 to land so we can depend on a supported mechanism instead of the existing content search we're doing today.

[wagoodman]

We should probably add a facility for the go binary cataloger to take a set of binary classifiers (reusing the binary catalogers code) in cases when a regex for finding the version within a binary is known. At the same time, any regexes we have in the binary classifier we have already for go applications should be ported to the new go binary cataloger config being dreamed up here.

[kzantow]

Dev note: it would probably involve modifying the findMainModuleVersion, here where it has a last-ditch effort to scan the entire contents: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/golang/parse_go_binary.go#L227-L236

Additionally, there is a Yaml-based binary cataloger experiment I would mention, it could be useful to implement this or some analogous cataloger to make defining rules easier and potentially able to distribute them separately from the syft binary instead of taking exactly what is in the binary classifier today.

[luhring]

The go build command now sets the main module’s version in the compiled binary based on the version control system tag and/or commit. A +dirty suffix will be appended if there are uncommitted changes. Use the -buildvcs=false flag to omit version control information from the binary.

https://tip.golang.org/doc/go1.24#go-command

[luhring]

I'm wondering if this issue has been largely handled by #3660 (cc: @wagoodman and @westonsteimel), with potentially two cases to note...

1. Since there will be common cases when Go is adding the +dirty suffix to the main module version, I'm curious whether that's okay to propagate to CPEs/PURLs/etc. as-is, or if we should think about cleaning up the version string first (for downstream consumptions that can't handle it, that is; we could leave it in place in the go-module metadata block or something). I'm curious about the impact on vuln matching, especially with any v6-related changes in Grype that I don't understand yet 😅. E.g.:

        {
          "cpe": "cpe:2.3:a:wolfi:wolfictl:v0.29.1\\+dirty:*:*:*:*:*:*:*",
          "source": "syft-generated"
        }
      ],
      "purl": "pkg:golang/github.com/wolfi-dev/[email protected]%2Bdirty",

2. I'm guessing we might still want to handle Go binaries built w/ Go 1.23.x and earlier. A few weeks back, @wagoodman and I talked about the idea of turning off the full bytes regexing by default since it's so prone to FPs, but letting users optionally turn it back on via configuration. Does that sound like a good thing to do at this point?

[luhring]

Since there will be common cases when Go is adding the +dirty suffix to the main module version, I'm curious whether that's okay to propagate [...]

Yeah I think the +dirty might need attention in matching land?

2025/02/25 18:40:52 WARN could not match by package language (package=Pkg(type=go-module, name=github.com/mattermost/mattermost/server/v8, version=v10.0.4+incompatible+dirty, upstreams=0)): matcher failed to parse version pkg="github.com/mattermost/mattermost/server/v8" ver="v10.0.4+incompatible+dirty": Malformed version: v10.0.4+incompatible+dirty

[luhring]

Yeah I think the +dirty might need attention in matching land?

x-ref: anchore/grype#2482