Duplicate OpenSSL detection as both deb and binary

[witchcraze]

What happened:

As I think this will be rare case, but please let me report as 1 example. I found there is case that openssl is detected as both deb and binary like this. // I think these openssl are same, but sorry I have no evidence.

related : #931

What you expected to happen:

If possible, only deb is shown. If binary openssl is shown, results of grype will be wrong in some cases.

Steps to reproduce the issue:

$ syft -q fluent/fluent-bit:1.8.5 | grep openssl
openssl     1.1.1d            binary
openssl     1.1.1d-0+deb10u7  deb

Anything else we need to know?:

Only linux/amd64 is duplicated

$ syft -q fluent/fluent-bit:1.8.5 --platform linux/arm | grep openssl
openssl                 1.1.1d-0+deb10u7        deb

$ syft -q fluent/fluent-bit:1.8.5 --platform linux/arm64 | grep openssl
openssl                 1.1.1d-0+deb10u7        deb

$ syft -q fluent/fluent-bit:1.8.5 --platform linux/amd64 | grep openssl
openssl     1.1.1d            binary
openssl     1.1.1d-0+deb10u7  deb

Environment:

• Output of syft version:

$ syft version
Application: syft
Version:    1.17.0
BuildDate:  2024-11-21T14:39:38Z
GitCommit:  a8d4202d77b6b31e75ce5af09a8b03ad14e533d3
GitDescription: v1.17.0
Platform:   linux/amd64
GoVersion:  go1.22.9
Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

[wagoodman]

This makes sense -- we should probably start deduplicating based on version prefixes instead of direct matches (if binary version is a prefix match for the os package or vice versa)