syft shows (devel) version for git-lfs while git-lfs version command shows 3.6.0

[Bruceliu-rs]

What happened:
syft generated git-lfs library with 'devel' version number, which was reported in DT(Dependency Track) as vulnerability.

syft scan f96bcfd2281c --select-catalogers "go"

github.com/git-lfs/git-lfs/v3 (devel) go-module

What you expected to happen:
It should show 3.6.0 like the git lfs version command
git lfs version
git-lfs/3.6.0 (GitHub; linux amd64; go 1.23.3; git 6340befc)
Steps to reproduce the issue:
docker pull docker.io/jenkins/jenkins:2.493
syft scan jenkins/jenkins:2.493 --select-catalogers "go"

docker run -u root -it 03347633fbe6 /bin/bash

git lfs version

Anything else we need to know?:
The jenkins docker image is from Debian bookworm release.

Environment:

• Output of syft version:
  Application: syft
  Version: 1.18.1
  BuildDate: 2024-12-13T18:41:10Z
  GitCommit: 5e16e50
  GitDescription: v1.18.1
  Platform: linux/amd64
  GoVersion: go1.23.4
  Compiler: gc

• OS (e.g: cat /etc/os-release or similar):
  PRETTY_NAME="Ubuntu 24.04.1 LTS"
  NAME="Ubuntu"
  VERSION_ID="24.04"
  VERSION="24.04.1 LTS (Noble Numbat)"
  VERSION_CODENAME=noble
  ID=ubuntu
  ID_LIKE=debian
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  UBUNTU_CODENAME=noble
  LOGO=ubuntu-logogithub.com/git-lfs/git-lfs/v3 (devel)

[spiffcs]

👋 thanks for the issue @Bruceliu-rs - I've added a comment from another issue that explains why this might be the case when syft fails to find the version.
#2980 (comment)

This issue is also related:
#3324

[Bruceliu-rs]

Hi @spiffcs , thanks for the confirmation, so I guess we need to wait for go 1.24 release, which is planned to release Feb 2025, two weeks later. I can wait. :)