Misinterpretation of Multiple replace Directives in Golang

[t-nero]

What happened:
It does not apply replace directive to the module version that's also in the replace directly. For example,

replace (
     google.golang.org/grpc => google.golang.org/grpc v1.61.0
     golang.org/x/net => golang.org/x/net v0.22.0
)

If I run syft with the working dir syft ., the result will show golang.org/x/net@v0.18.0 is being used, which is originated from grpc@v1.61.0's go.mod while both module should be overridden to the specified version.

What you expected to happen:
If I build and run syft against the binary file instead, syft <bin_file>, or go version -m <bin_file>, both will show golang.org/x/net@v0.22.0 is actually being used.

Steps to reproduce the issue:

1. Create a simple project
2. Import a module, let's name it module M
3. Use replace directive with M to any specific version
4. Use replace directive with another module required by M (pick one from M's go.mod), let's name it module N
5. cd to the project root directory, set $GOPATH with export GOPATH="$(pwd)/dep
6. go mod download, to download all dependencies into ./dep.
7. Run syft with the project directory, inspect the N's version, it will be the version specified in M's go.mod, while it should actually be the replace directive version.

Environment:

• Output of syft version:

Application: syft
Version:    1.0.1
BuildDate:  2024-03-06T19:25:56Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.22.1
Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):

ProductName:		macOS
ProductVersion:		14.3.1
BuildVersion:		23D60

[kzantow]

I believe this is a duplicate of #2038, but it does describe a slightly different replace directive. This particular variant would be a lot easier to handle, ignoring the local filesystem references.