syft shows (devel) version for git-lfs while git-lfs version command shows 3.6.0

[Bruceliu-rs]

What happened:
syft generated git-lfs library with 'devel' version number, which was reported in DT(Dependency Track) as vulnerability.

syft scan f96bcfd2281c --select-catalogers "go"

github.com/git-lfs/git-lfs/v3 (devel) go-module

What you expected to happen:
It should show 3.6.0 like the git lfs version command
git lfs version
git-lfs/3.6.0 (GitHub; linux amd64; go 1.23.3; git 6340befc)
Steps to reproduce the issue:
docker pull docker.io/jenkins/jenkins:2.493
syft scan jenkins/jenkins:2.493 --select-catalogers "go"

docker run -u root -it 03347633fbe6 /bin/bash

git lfs version

Anything else we need to know?:
The jenkins docker image is from Debian bookworm release.

Environment:

• Output of syft version:
  Application: syft
  Version: 1.18.1
  BuildDate: 2024-12-13T18:41:10Z
  GitCommit: 5e16e50
  GitDescription: v1.18.1
  Platform: linux/amd64
  GoVersion: go1.23.4
  Compiler: gc

• OS (e.g: cat /etc/os-release or similar):
  PRETTY_NAME="Ubuntu 24.04.1 LTS"
  NAME="Ubuntu"
  VERSION_ID="24.04"
  VERSION="24.04.1 LTS (Noble Numbat)"
  VERSION_CODENAME=noble
  ID=ubuntu
  ID_LIKE=debian
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  UBUNTU_CODENAME=noble
  LOGO=ubuntu-logogithub.com/git-lfs/git-lfs/v3 (devel)

[spiffcs]

👋 thanks for the issue @Bruceliu-rs - I've added a comment from another issue that explains why this might be the case when syft fails to find the version.
#2980 (comment)

This issue is also related:
#3324

[Bruceliu-rs]

Hi @spiffcs , thanks for the confirmation, so I guess we need to wait for go 1.24 release, which is planned to release Feb 2025, two weeks later. I can wait. :)

[spiffcs]

Yea - that doesn't guarantee that when it comes out binaries built with previous compilers will have the version information, but as newer code get's released and 1.24 becomes an "older" version that people have updated to and surpassed you should see the percentage of binaries with this information embedded increase over the course of the year.

I've bookmarked this issue so we're ready for it in syft and can get a release to match that functionality as soon as it's available

[wagoodman]

Based off of what I'm seeing this would be tricky to try and make a stable pattern for this. Take this, which is an installation from brew of git-lfs:

00509c50: 732e 7061 7274 5261 6e67 6562 6174 6368  s.partRangebatch
00509c60: 7369 7a65 3d69 643d 2573 312e 302e 3050  size=id=%s1.0.0P
00509c70: 4154 4348 2020 5b50 5d20 205b 4c5d 2573  ATCH  [P]  [L]%s
00509c80: 0925 7353 6c69 6365 4172 7261 7925 7320  .%sSliceArray%s
00509c90: 2573 756d 6173 6b67 726f 7570 5f4e 414d  %sumaskgroup_NAM
00509ca0: 4545 4d41 494c 2020 2573 0a33 2e36 2e31  EEMAIL  %s.3.6.1
00509cb0: 6361 6368 6570 6174 683d 2573 3a25 782d  cachepath=%s:%x-
00509cc0: 3037 3030 2573 4025 7325 763a 2576 7072  0700%s@%s%v:%vpr
00509cd0: 6f78 7966 696c 6573 6874 7470 7369 6d61  oxyfileshttpsima
00509ce0: 7032 696d 6170 3369 6d61 7073 706f 7033  p2imap3imapspop3
00509cf0: 7368 6f73 7473 434e 414d 4572 6f75 7465  shostsCNAMEroute

Here you can see 3.6.1 embedded into the middle of this output, but notice the surrounding random symbols, and the fact that there are no padding nulls to separate values from one another. It is possible to make a regex for this, but I don't imagine it to be stable between builds of different versions.

If anyone sees any good options here in terms of being able to parse a version from this, thoughts are welcome!