What happened:
After using the Spring Initializer tool to create a new Spring Boot App (version 2.7.5) with the Spring Web dependency, building, and running Grype to scan for vulnerabilities, we get a vulnerability detected on the following package:

spring-boot-starter-web: GHSA-36p3-wjmg-h94x

What you expected to happen:

When installing the dependencies, the spring-boot-starter-web package installs a version that is consistent with its parent artifact (spring-boot-starter-parent) which maps to version 2.7.5

I was expecting grype to detect the version, and note that the vulnerability it indicates does not apply since it was fixed as a prior version (2.5.12). However, the engine does not pick it up, and displays an empty version in use for the package:

How to reproduce it (as minimally and precisely as possible):
I have set up a repo with a dev container configured to run the repro with instructions here:

https://github.com/cezapata/appconfiguration-sample

You can run the codespace, install the maven dependencies on the app, and then run grype. Among the vulnerabilities detected, we will display GHSA-36p3-wjmg-h94x.

Anything else we need to know?:

Hard-coding the version on the dependencies fixes the problem, but we would like all the dependencies to be controlled by the parent.

Environment:

• Output of grype version:
  Application: grype
  Version: 0.53.0
  Syft Version: v0.62.0
  BuildDate: 2022-11-18T20:36:40Z
  GitCommit: a4a62aa
  GitDescription: v0.53.0
  Platform: linux/amd64
  GoVersion: go1.18.7
  Compiler: gc
  Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar):
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"