OpenSSL binary matcher fails to properly detect letter releases

[harmw]

What happened:
Since upgrading syft from 0.86.1 to something more recent I get some more OpenSSL results in my spdx-json SBOM files. As a result, our scanner (grype) now finds more vulnerabilities (specifically around OpenSSL).

This makes sense as the SBOM now contains this:

    {
      "name": "openssl",
      "SPDXID": "SPDXRef-Package-binary-openssl-3521b76f128896d1",
      "versionInfo": "1.1.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "sourceInfo": "acquired package info from the following paths: /usr/local/openresty/openssl/bin/openssl",
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
          "referenceType": "cpe23Type",
          "referenceLocator": "cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "cpe23Type",
          "referenceLocator": "cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*"
        },
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:generic/openssl@1.1.1"
        }
      ]
    },

This started specifically as of 0.100.0 (https://github.com/anchore/syft/releases/tag/v0.100.0), presumably due to inclusion of #2416

What you expected to happen:
This specific image is indeed using OpenSSL 1.1.1, yet grype now finds itself worrying about just 1.1.1 while in reality this is 1.1.1w (which isn't even vulnerable at all).

% docker run --rm -it --entrypoint /bin/sh openresty/openresty:1.25.3.1-2-alpine
/ # ./usr/local/openresty/openssl/bin/openssl version
OpenSSL 1.1.1w  11 Sep 2023

I'd expect the SBOM to properly reflect the 1.1.1w on which grype can supposedly report accordingly.

Steps to reproduce the issue:
Using docker and the following quick script:

#!/usr/bin/env sh
set -e
SYFT_TAG=v0.103.1   # Jan 31, 2024
GRYPE_TAG=v0.74.5   # Feb 14, 2024

SBOM=$(basename ${PWD})_sbom.spdx.json

mkdir -p ~/.grype/cache

if [ -z $1 ]
then
  TARGET="dir:/work/"
  echo "Using default target - alternative argument: docker:<container>"
else
  TARGET="${1}"
  echo "Using target: ${TARGET}"
fi

echo "Extracting SBOM using Syft ${SYFT_TAG}"

docker run \
  --rm \
  -it \
   -v /var/run/docker.sock:/var/run/docker.sock \
  -v ${PWD}:/work \
  anchore/syft:${SYFT_TAG} \
    packages \
    ${TARGET} \
    -o spdx-json \
    --file /work/${SBOM}

docker run \
  --rm \
  -it \
  -v ${PWD}:/work \
  -v ~/.grype/cache:/.cache/grype \
  anchore/grype:${GRYPE_TAG} \
    sbom:/work/${SBOM} \
    -o sarif \
    --file /work/scan.sarif \
    --config /work/grype.config.yaml

Using SYFT_TAG=v0.103.1:

 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [54 vulnerability matches]
   ├── by severity: 3 critical, 13 high, 36 medium, 2 low, 0 negligible
   └── by status:   4 fixed, 50 not-fixed, 0 ignored

Using SYFT_TAG=v0.99.0:

 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]
   ├── by severity: 0 critical, 4 high, 18 medium, 0 low, 0 negligible
   └── by status:   4 fixed, 18 not-fixed, 0 ignored

Anything else we need to know?:
My current guess is this is due to the openssl matchers ignoring the letter suffix, as found in for example 1.1.1w.

From https://wiki.openssl.org/index.php/Versioning:

• Letter releases, such as 1.0.2a, exclusively contain bug and security fixes and no new features.

Environment:

• Output of syft version: v0.103.1
• OS (e.g: cat /etc/os-release or similar): fwiw Alpine 3.19.1