Syft creating malformed purl version for go-module helmv3 package #4474
Description
What happened:
When running Syft scan on an image, I got the following purl for helmv3 v3.19.2:
pkg:golang/helm.sh/helm/[email protected]
That is not a valid go version and it fails here
$ go get helm.sh/helm/[email protected]
go: helm.sh/helm/[email protected]: invalid version: module path includes a major version suffix, so major version must match
What you expected to happen:
To get a major version 3 at least for the start of the version string or an exact version.
Steps to reproduce the issue:
Dockerfile example:
FROM registry.access.redhat.com/ubi9:latest as build
ARG HELM_VERSION=v3.19.2
RUN curl -fL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash -s -- --version ${HELM_VERSION}
FROM scratch
COPY --from=build /usr/local/bin/helm /usr/local/bin/helm
ENTRYPOINT ["helm"]
docker build -t test:123 .
and then scan it with:
docker run -v /var/run/docker.sock:/var/run/docker.sock anchore/syft:latest test:123
Related Issues:
google/osv.dev#4484
Environment:
- Output of
syft version:
Application: syft
Version: 1.38.2
BuildDate: 2025-12-09T20:56:03Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.25.5
Compiler: gc
SchemaVersion: 16.1.0
- OS (e.g:
cat /etc/os-releaseor similar):
macos 26.2