stdlib version contains distribution

[TimBrown1611]

What happened:
I scanned a redhat image which contains go, and received the below version of stdlib:

      "id": "d17a2467c2d6c774",
      "name": "stdlib",
      "version": "go1.21.9 (Red Hat 1.21.9-2.el9_4)",
      "type": "go-module",
      "foundBy": "",
      "locations": [
        {
          "path": "/usr/bin/skopeo",
          "layerID": "sha256:c0e434e0d415074a5a01a06ff56044b33a8e448eeafcee4c1a3a068d328dd0cf",
          "accessPath": "/usr/bin/skopeo",
          "annotations": {
            "evidence": "primary"
          }
        }

distro information:

    "prettyName": "Red Hat Enterprise Linux 9.4 (Plow)",
    "name": "Red Hat Enterprise Linux",
    "id": "rhel",
    "idLike": [
      "fedora"
    ],
    "version": "9.4 (Plow)",
    "versionID": "9.4",
    "homeURL": "https://www.redhat.com/",

What you expected to happen:
I think the version should be - 1.21.9

Steps to reproduce the issue:
I can't share the image I've scanned, but let me know if you need me to share more details.

Anything else we need to know?:

Environment:

• Output of syft version: 1.18.1
• OS (e.g: cat /etc/os-release or similar): macOS

[jherrerasbp]

I've seen the same case with the image redis:7.4.1-alpine3.20 and digest c1e88455c85225310bbea54816e9c3f4b5295815e6dbf80c34d40afc6df28275 from docker hub

[spiffcs]

Thanks @TimBrown1611 for the report and @jherrerasbp for the reproduction steps.

I've confirmed/reproduced this as well. When someone on the team has time we'll try and tackle this bug.

[g-suraj]

Is it expected for the version to be prefixed with go? It also seems reasonable to remove the prefix just like when we instantiate the packageURL.