Attempt to extract go main module versions from available ldflags

[wagoodman]

What would you like to be added:
(from anchore/grype#1167 (comment) and conversations from @westonsteimel )

Go modules cannot yet represent the main module version in a standard way golang/go#29228 . This would allow syft to be able to attempt to extract semantic versions for main applications where today we are surfacing output like v0.0.0-20221108103842-64017e8ca682.

But we do have access to ldflags, which is a common way to bake in the version at build time:

{
   "id": "e0096f6e58724f2e",
   "name": "github.com/grafana/grafana",
   "version": "v0.0.0-20221108103842-64017e8ca682",
   "type": "go-module",
   "foundBy": "go-module-binary-cataloger",
   "locations": [
    {
     "path": "/usr/share/grafana/bin/grafana-cli",
     "layerID": "sha256:245c77c48e91231cb9493c35992535f049af4cfa20a2300cf872fa1ed28d0133"
    }
   ],
   "licenses": [],
   "language": "go",
   "cpes": [
    "cpe:2.3:a:grafana:grafana:v0.0.0-20221108103842-64017e8ca682:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:golang/github.com/grafana/[email protected]",
   "metadataType": "GolangBinMetadata",
   "metadata": {
    "goBuildSettings": {
     "-compiler": "gc",
     "-ldflags": "-linkmode=external -extldflags=-static -w -X main.version=9.2.4 -X main.commit=64017e8ca6 -X main.buildstamp=1667903922 -X main.buildBranch=HEAD",
     "CGO_CFLAGS": "",
     "CGO_CPPFLAGS": "",
     "CGO_CXXFLAGS": "",
     "CGO_ENABLED": "1",
     "CGO_LDFLAGS": "",
     "GOAMD64": "v1",
     "GOARCH": "amd64",
     "GOOS": "linux",
     "vcs": "git",
     "vcs.modified": "false",
     "vcs.revision": "64017e8ca6825b79a2acb887a1c1d9088e47ed72",
     "vcs.time": "2022-11-08T10:38:42Z"
    },
    "goCompiledVersion": "go1.19.3",
    "architecture": "amd64",
    "mainModule": "github.com/grafana/grafana"
   }
  },

From "-ldflags": "-linkmode=external -extldflags=-static -w -X main.version=9.2.4 -X main.commit=64017e8ca6 -X main.buildstamp=1667903922 -X main.buildBranch=HEAD", it would be ideal to be able to extract 9.2.4 such that the version in pkg.Package could be more accurate.

This does not cover all approaches where version is baked into an application, but again, this is a fairly common pattern.

Since this would be inherently a fuzzy process there should be a way via application configuration to opt out of this.

Why is this needed:
This would tremendously help vulnerability matching downstream of syft and allow for more accurate SBOMs to be generated.

Additional context:

@westonsteimel prototype branch: https://github.com/anchore/syft/compare/extract-go-binary-versions-from-known-build-flags

[wagoodman]

this regex might work better \.(git)?[vV]ersion=(\S+\/)*(?<Version>v?\d+.\d+.\d+[-+\S]*), but not a lot of time yet to dig too deep. Saving for posterity.