What happened:

Analyzing the Grafana OCI container image will lead to a miss-classification of using Grafana Tempo under AGPL, when in fact it is Apache License 2.0 . This is because the golang resolver is relying on the embedded https://pkg.go.dev/runtime/debug#BuildInfo. That BuildInfo information only resolves to the module level and not the package level. This leads to a cyclonedx BOM like the following:

...
    {
      "bom-ref": "pkg:golang/github.com/grafana/tempo@v1.5.1-0.20241001135150-ed943d7a56b2?package-id=edb2513afd3875fd",
      "type": "library",
      "name": "github.com/grafana/tempo",
      "version": "v1.5.1-0.20241001135150-ed943d7a56b2",
      "licenses": [
        {
          "license": {
            "id": "AGPL-3.0-only",
            "url": "https://proxy.golang.org/github.com/grafana/tempo/@v/v1.5.1-0.20241001135150-ed943d7a56b2.zip#github.com/grafana/tempo@v1.5.1-0.20241001135150-ed943d7a56b2/LICENSE"
          }
        }
      ],

What you expected to happen:

I would have expected that syft detects the actual go packages being used and the license of these packages. The "govulncheck" of the Go ecosystem is an example that goes beyond the BuildInfo and identifies package level dependencies.

Steps to reproduce the issue:

go run ./cmd/syft scan -vv docker:grafana/grafana-oss:12.0.1 -o cyclonedx-json

Anything else we need to know?:

Environment:

• Output of syft version:
• OS (e.g: cat /etc/os-release or similar):