Syft fails to scan image with variant, linux/arm/v7

[mathrock]

What happened:
Attempted to scan image with --platform linux/arm/v7 which matches what the registry reports for the image but syft fails.

Registry shows image as linux/arm/v7:

% crane config nginx@sha256:ed96b79909c5581d90b690b4cdcec049974c7abb11edaaee4f353c8465445d8a | jq '. | {os: .os, arch: .architecture, variant: .variant}'
{
  "os": "linux",
  "arch": "arm",
  "variant": "v7"
}

Scan with correct platform string (linux/arm/v7) fails:

% syft --from registry --platform linux/arm/v7  nginx@sha256:ed96b79909c5581d90b690b4cdcec049974c7abb11edaaee4f353c8465445d8a
[0001] ERROR could not determine source: an error occurred attempting to resolve 'nginx@sha256:ed96b79909c5581d90b690b4cdcec049974c7abb11edaaee4f353c8465445d8a': oci-registry: mismatched platform (expected linux/arm/v7): image platform="linux/arm" does not match user specified platform="linux/arm/v7"

Scan with just linux/arm considering the variant is optional, also fails:

% syft --from registry --platform linux/arm  nginx@sha256:ed96b79909c5581d90b690b4cdcec049974c7abb11edaaee4f353c8465445d8a
[0001] ERROR could not determine source: an error occurred attempting to resolve 'nginx@sha256:ed96b79909c5581d90b690b4cdcec049974c7abb11edaaee4f353c8465445d8a': oci-registry: mismatched platform (expected linux/arm/v7): image platform="linux/arm" does not match user specified platform="linux/arm/v7"

The error message shows an incorrect platform string from the registry (image config) which appears to be a bug https://github.com/anchore/stereoscope/blob/main/pkg/image/oci/registry_provider.go#L140 due to not considering and handling the variant correctly.

What you expected to happen:
The image should scan correctly when either the exact platform string with variant --platform linux/arm/v7 or just the os/arch without the optional variant --platform linux/arm are used.

How to reproduce it (as minimally and precisely as possible):
Provided above

Anything else we need to know?:

Environment:

• OS (e.g: cat /etc/os-release or similar):

% syft version
Application:   syft
Version:       1.32.0
BuildDate:     2025-08-26T21:04:20Z
GitCommit:     Homebrew
GitDescription: [not provided]
Platform:      darwin/arm64
GoVersion:     go1.25.0
Compiler:      gc
SchemaVersion: 16.0.39

[mathrock]

Looks like it was released in stereoscope v0.1.10, and downstream releases in Syft v1.33.0 (https://github.com/anchore/syft/blob/v1.33.0/go.mod#L27) and Grype v0.100.0 (https://github.com/anchore/grype/blob/v0.100.0/go.mod#L21)