I’m generating SBOMs for a system that includes multiple statically linked Go binaries (e.g. containerd, ctr, containerd-shim). Syft reports multiple instances of the same Go module/version, each with a different bom-ref and different binary locations.

Example:

• pkg:golang/github.com/containerd/[email protected] found at:
  • /usr/bin/containerd
  • /usr/bin/ctr
  • /usr/bin/containerd-shim
  • etc.

I understand this is technically accurate since the dependencies are embedded in each binary. However, this results in a very noisy SBOM. Before building my own post-processing, I wanted to check:

1. Is there recommended guidance from the community on how to handle deduplication of packages like this?
2. Is there a Syft option, cataloger configuration, or upcoming feature that can produce a more "logical package-only" SBOM (e.g. one component with multiple locations) without losing valid CycloneDX data?
3. Any best practices for submitting such SBOMs to downstream consumers (e.g. for vulnerability scanning)?

Thank you!