Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries

[AndreasAndoerfer]

What happened:

When executing syft to analyse a docker image with a dotnet application it is generating component entries with the file version of the dll and not the assembly version.
This causes a wrong cpe.

In my example it is the .net 8.0 System.Security.Cryptography.Xml.dll

Output of syft:

The library is just one example. This problem exist for all runtime libraries because the file version does not match the assembly- / runtime-version!

What you expected to happen:
I would expect to have the same version displayed in nuget and in the *.deps.json file of the project:

*.deps.json:

Output of syft with dotnet-deps-cataloger:

Steps to reproduce the issue:

• create a docker image with an dotnet web application
• run syft on the docker image

Anything else we need to know?:

Environment:

• Output of syft version: 1.12.2
• OS (e.g: cat /etc/os-release or similar): alpine image

[willmurphyscode]

This is probably related to #2697.

[kzantow]

Hi, @AndreasAndoerfer -- Syft looks at a few different properties in the PE files to attempt to determine the package and version, but we have found that these fields are not used in a consistent manner across various projects. Perhaps you could shed some light on improvements? We have tests of some set of PE files and the code which attempts to determine the package and version available to review.