Incorrect Go module PURL generation when module path contains /vN (e.g. /v5)

**Description**:

When generating a BOM for Go projects, Syft incorrectly parses module paths that include a version suffix like /v5 as part of the semantic version instead of the package path.

**Example:**
We use the Go module:
`github.com/golang-jwt/jwt/v5 v5.2.1
`
In the generated bom.json, Syft produces:
```
"purl": "pkg:golang/github.com/golang-jwt/jwt@v5.2.1#v5",
"bom-ref": "pkg:golang/github.com/golang-jwt/jwt@v5.2.1#v5"
```
The correct PURL should be:
`"purl": "pkg:golang/github.com/golang-jwt/jwt/v5@v5.2.1"
`

**Impact:**

- Dependency Track tools misidentify the dependency : 

<img width="1265" height="145" alt="Image" src="https://github.com/user-attachments/assets/18f4d8e8-b478-4e22-b418-d254a1232600" />

- The used version is not recognized correctly.
- Associated vulnerabilities and metadata are missing.

**Environment**

- Syft version:  v1.33.0
- Language: Go
- Example package: github.com/golang-jwt/jwt/v5@v5.2.1

**Expected Behavior**
Syft should preserve the module path (/v5) and produce:
`pkg:golang/github.com/golang-jwt/jwt/v5@v5.2.1
`

**Actual Behavior**
Syft outputs:
`pkg:golang/github.com/golang-jwt/jwt@v5.2.1#v5
`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) #4316

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) #4316

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions