SBOM is diffirent between syft v0.84.0 and v0.94.0

[tomerse-sg]

What happened:
I run syft alpine:3.2 using a binary of version 0.84.0 and 0.94.0 and saw different results.
I saw a missing binary as specified below:

What you expected to happen:
I want to understand if this is a correct results.

Steps to reproduce the issue:
syft alpine:3.2 with 0.84.0 version and 0.94.0 version

Anything else we need to know?:

Environment:

• Output of syft version: linux
• OS (e.g: cat /etc/os-release or similar):

[spiffcs]

Check out this PR for the change and reasoning why this is different =) #1948

[tomerse-sg]

thanks for the response,
so it narrows duplicates dependencies?

[kzantow]

@tomerse-sg yes, the package manager version can be more correct and include things from a distro security tracker that we couldn't match based on versions found in the binaries. For example, some have a -r# suffix, like busybox 3.2.5-r1, and maybe in some distro the -r1 has is a patch release with certain security fixes, but we don't find the -r1 in the actual version string in the binary, only in the package manager information.

That said, I'm going to close this issue since it is working as expected.