I don't think we should use this format exactly. We have handling in Syft for formats in different versions with the syntax: <format>@<version>, for CycloneDX, it would be cyclonedx-json@1.5. There is some logic to handle versions nicely including finding the latest version where only a major version is specified, for example spdx-json@2 results in spdx-json version 2.3. It would be nice to reuse this logic, but it looks like it's somewhat specific to an sbom.FormatEncoder. In the meantime, we should use an identical syntax in Grype, e.g.: cyclonedx@1.5, cyclonedx-json@1.5, and cyclonedx-xml@1.5

I wasn't aware of there being a specific format to the versioning. Would it be good to change Format into a struct and use some of the logic from FormatEncoder?

We want to update the Grype presenters to be more like Syft formats, but I wouldn't ask you to do this as part of your PR here unless you felt like it. The main thing is the version strings specified should be the same between the tools

Yep, that makes total sense to me. I'm not fully familiar with Go so I'll probably just update the formatting stuff to handle the version.

Ok, I've gotten it to use the Syft formatted version string. Not the prettiest implementation but it's straightforward and it works.