Ensure go standard library version in component and PURL are consistent

[g-suraj]

What happened:

The component for the go stdlib looks like

{
   "bom-ref": "pkg:golang/[email protected]?package-id=xyz",
   "type": "library",
   "name": "stdlib",
   "version": "go1.21.6"
   ...
}

What you expected to happen:

I'd have expected to not see the prefix in the version string in the component. This is already what we do for the PURL here.

Environment:

• Output of syft version: 0.71.0
• OS (e.g: cat /etc/os-release or similar): Red Hat Enterprise Linux Server release 7.9 (Maipo)

[spiffcs]

Summary from Livestream

Thanks for the issue @g-suraj !

We discussed this issue here:
https://www.youtube.com/watch?v=7434IRrupzQ

The result is that given the PURL specification allows for an encoded string as the version, and we have a matcher in grype that handles go versions correctly (given a prefix of v, go, etc) then we should actually preserve the go prefix for the PURL and preserve the go prefix in the version string.

This is the output given by the go tooling and how they reference go versions in their official vulnerability feed. See the below as an example:
https://pkg.go.dev/vuln/GO-2024-3107

I'll get around to making this consistent (preserving the prefix) across PURL and Version and testing that change against yardstick to make sure we don't have any matching regressions.

[g-suraj]

That makes sense - I'll update the issue title to reflect that then. Thank you 🙂