deps: update dependency anchore/syft to v1.18.1 - abandoned

[red-hat-konflux]

This PR contains the following updates:

Package	Update	Change
anchore/syft	minor	1.5.0 -> 1.18.1

---

Release Notes

anchore/syft (anchore/syft)

v1.18.1

Compare Source

Bug Fixes

• Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#​3390]
• SPDX expressions are lost from CycloneDX if they contain extra parenthesis [#​3441 #​3517 @​willmurphyscode]

Additional Changes

• migrate syft to use anchore fork of archiver without replace [#​3516 @​spiffcs]

(Full Changelog)

v1.18.0

Compare Source

Added Features

• convert spdx absolute to relative [#​3509 @​spiffcs]
• Add relationships for rust audit binary packages [#​3500 @​wagoodman]
• support configuration of layer size in Syft [#​3428 #​3464 @​tomersein]
• Support Dart arm/v7 in 3.x and 2.x [#​3278 #​3475 @​witchcraze]

Bug Fixes

• fix order of rust dependencies and support git sources in Cargo.lock dependencies [#​3502 @​willmurphyscode]
• Use file indexer directly when scanning with file source [#​3333 @​adammcclenaghan]
• Remove incorrect power-user help text that only image sources are supported [#​2046]
• Invalid SPDX: missing copyright text [#​3346 #​3495 @​spiffcs]
• Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components [#​3403]

(Full Changelog)

v1.17.0

Compare Source

Added Features

• Surface Rust dependency relationships [#​2353 #​3443 @​willmurphyscode]
• Support node 6.x versions [#​3404 #​3419 @​witchcraze]

Bug Fixes

• Restore log on UI teardown [#​3427 @​wagoodman]
• Syft should log warnings even when no TTY is present [#​3081 #​3466 @​willmurphyscode]
• Special characters (tab, newline) in license URL [#​3122 #​3449 @​spiffcs]
• LicenseDeclared not as per SPDX License List [#​3030 #​3461 @​spiffcs]

Additional Changes

• doc: Add official Syft logo license information [#​3421 @​popey]

(Full Changelog)

v1.16.0

Compare Source

Added Features

• omit devDependencies for package-lock.json files by default [#​2348 #​3371 @​njv299]

Bug Fixes

• add support for dependencies and purl for Native Image SBOMs [#​3399 @​rudsberg]
• stop bubbling fileResolver errors from binary cataloger [#​3410 @​spiffcs]
• malformed pom.xml may cause recursive loop [#​3391 @​kzantow]
• syft convert: broken link in help - documentation no longer existing [#​3143 #​3407 @​Makefolder]

(Full Changelog)

v1.15.0

Compare Source

Added Features

• Merge config files hierarchically and add support for config profiles [#​3337 @​kzantow]
• Enable cargo-auditable-binary-cataloger for files/directories [#​3376 @​ariel-miculas]
• Improve mariadb binary classifer to detect older versions [#​3052]
• Look for dpkg status file at additional globs [#​2692 #​3373 @​njv299]
• Emit relationships for Java dependencies [#​3189 #​3363 @​kzantow]

(Full Changelog)

v1.14.2

Compare Source

Bug Fixes

• Use single license scanner for all catalogers [#​3348 @​wagoodman]
• use official CPE for linux kernel [#​3343 @​westonsteimel]
• improve mariadb binary classifer to detect older versions [#​3339 @​westonsteimel]

Additional Changes

• Update to latest packageurl-go [#​3347 @​wagoodman]

(Full Changelog)

v1.14.1

Compare Source

Bug Fixes

• stop some log.Warn spam due parsing an empty string as a CPE [#​3330 @​willmurphyscode]
• improve go binary semver extraction for traefik [#​3325 @​westonsteimel]

(Full Changelog)

v1.14.0

Compare Source

Added Features

• Report known unknowns directly in the output SBOM [#​518 #​2998 @​kzantow]
• Identify bash.preinst [#​3191 #​3228 @​wagoodman]
• Support HAProxy rc and some old versions [#​3233 #​3277 @​witchcraze]
• Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 [#​3279 #​3281 @​witchcraze]
• Support node old versions [#​3236 #​3284 @​witchcraze]
• Support rubylang/ruby dev versions [#​3239 #​3285 @​witchcraze]
• Support ruby rc, preview [#​3238 #​3285 @​witchcraze]

Bug Fixes

• performance: instantiate license check scanner to prevent memory leak [#​3290 @​govrin]
• Parse package.json with non-standard fields in 'author' section [#​3300 @​nuada]
• make failed CPE validation correctly return error [#​2762 @​willmurphyscode]
• Improve subpath to mount matching [#​3269 @​cdupuis]

Additional Changes

• add pull request template [#​3294 @​willmurphyscode]

(Full Changelog)

v1.13.0

Compare Source

Added Features

• --enrich flag for data enrichment feature enablement [#​3182 @​kzantow]
• Add classifier for Dart lang [#​3265 @​LaurentGoderre]
• add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#​3252 @​krysgor]
• Catalog JDKs more completely [#​3188 #​3217 @​wagoodman]
• Show richer information for JVM installations [#​1426 #​3217 @​wagoodman]
• Allow for stubbing unknown versions over dropping packages [#​2652 #​3257 @​wagoodman]
• Name and Version empty for Java package when scanning provided image [#​2132 #​3257 @​wagoodman]
• Support bitnami/mysql:8.x [#​3025]

Bug Fixes

• OpenJDK CPEs [#​2422 #​3217 @​wagoodman]
• SBOM generated from poetry lock file contains no license information on any dependencies [#​3204]
• Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2039 #​3257 @​wagoodman]
• Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2038 #​3257 @​wagoodman]
• Command make add-snippet can fail in some cases [#​3249]

(Full Changelog)

v1.12.2

Compare Source

Added Features

• Detect curl binaries [#​3146 @​krysgor]
• Add haskell binaries cataloger [#​3078 @​LaurentGoderre]
• add the Ocaml ecosystem [#​3112 @​LaurentGoderre]
• Support HAProxy dev [#​3134 #​3180 @​witchcraze]

Bug Fixes

• Fix improper decoding of SPDX license expressions in the CycloneDX format [#​3175 @​NyanKiyoshi]
• improve generated cpes for binaries with existing classifiers [#​3169 @​westonsteimel]
• improve known CPEs and set NVD as source for all current binary classifiers [#​3167 @​westonsteimel]
• Respond to authoratative CPEs from catalogers [#​3166 @​wagoodman]
• Set cataloger names within package cataloger task [#​3165 @​wagoodman]
• use official CPE for curl binary cataloger [#​3164 @​westonsteimel]
• Fix ELF package correlations [#​3151 @​wagoodman]
• no space left and Could not retrieve mirrorlist in test [#​3181 #​3190 @​wagoodman]
• Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed [#​3195]
• CycloneDX convertion into Syft improperly handles SPDX licenses [#​3172]
• Syft Cause stack overflow [goroutine stack exceeds 1000000-byte limit] [#​3163 #​3170 @​kzantow]
• Mysql binary detection version incorrect for 8.0.x [#​3141 #​3142 @​kzantow]

Additional Changes

• Less verbose java logging when non-fatal issues arise [#​3208 @​wagoodman]

(Full Changelog)

v1.11.1

Compare Source

Bug Fixes

• support .kar files [#​3113 @​tomersein]
• logging for remote network calls [#​3140 @​kzantow]
• Pick up CycloneDX BOM components from metadata as well [#​3092 @​dervoeti]
• improve groupid extraction for Jenkins plugins [#​2815 @​westonsteimel]

(Full Changelog)

v1.11.0

Compare Source

Added Features

• Added the SWI Prolog (swipl) ecosystem [#​3076 @​LaurentGoderre]
• Improved java cataloging [#​2769 @​GijsCalis]

Bug Fixes

• Empty version field on some dependencies when reading pom.xml [#​1129 #​2769 @​GijsCalis]
• Support Maven multi-level configuration file / parent POM [#​2017 #​2769 @​GijsCalis]
• DependencyManagement ignored in pom.xml [#​1813 #​2769 @​GijsCalis]
• Version parsing regression for Go binaries [#​3086 #​3087 @​spiffcs]

Additional Changes

• rather than have a hard max recursive depth - syft should detect parent pom cycles [#​2284 #​2769 @​GijsCalis]
• increase java purl generation test coverage [#​3110 @​westonsteimel]
• Updated PackageSupplier to type Organization for JAR files [#​3093 @​harippriyas]
• Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach [#​3054 @​dor-hayun]

(Full Changelog)

v1.10.0

Compare Source

Added Features

• Detect go main module from partial package builds [#​3060 @​wagoodman]
• Support traefik in linux/arm/v6, linux/riscv64 [#​3038 #​3077 @​witchcraze]
• Catalog TiDB binary [#​2763]
• Generate a Maven friendly CPE [#​3042 #​3045 @​kzantow]

Bug Fixes

• Only match ldflag version if it matches the main module or targets main.version [#​3062 @​LaurentGoderre]
• python requirements.txt cataloger: allow dots in python package names [#​3070 @​Mikcl]
• SPDX output performance with many relationships [#​3053 @​kzantow]
• Order CPEs deterministically for SBOM reproducibility [#​2967 #​3085 @​kzantow]
• Python packages: name normalization [#​3064 #​3069 @​Mikcl]
• Syft report panics with the golang cataloger [#​3037 #​3043 @​willmurphyscode]

Additional Changes

• add debug logging for errors reading RPM files [#​3051 @​kzantow]

(Full Changelog)

v1.9.0

Compare Source

Added Features

• Add detection of Erlang in Alpine linux [#​2996 @​LaurentGoderre]
• Add version 3 support for swift package manager of the resolved files [#​3001 @​4ell0]
• Map the downloadLocation field for PHP Composer packages [#​3011 @​LaurentGoderre]

Bug Fixes

• Infer the package type from ELF package notes [#​3008 @​wagoodman]
• Order CPEs deterministically for SBOM reproducibility [#​2967 #​3009 @​spiffcs]

(Full Changelog)

v1.8.0

Compare Source

Added Features

• Add CycloneDX 1.6 Support [#​2974 #​2978 @​ragaskar]

Bug Fixes

• Fixed the detection of arangodb 3.12 [#​2979 @​LaurentGoderre]
• Syft tries to create the cache directory at a location that has no permission [#​2984 #​2985 @​kzantow]

(Full Changelog)

v1.7.0

Compare Source

Added Features

• index known CPEs for wordpress plugins and themes [#​2963 @​westonsteimel]
• Consider Author field for wordpress plugins when generating CPEs [#​2946 @​wagoodman]

Bug Fixes

• improve version extraction from ldflags for pingcap TiDB [#​2962 @​westonsteimel]
• Trim whitespace from wordpress values [#​2945 @​wagoodman]
• Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#​2954 #​2965 @​spiffcs]
• Poetry's multiple constraints seems to break the parser [#​2947 #​2965 @​spiffcs]
• Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#​2798 #​2852 @​kzantow]

(Full Changelog)

v1.6.0

Compare Source

Added Features

• Add relationships for go binary packages [#​2912 @​wagoodman]
• Add classifier for util-linux [#​2933 @​LaurentGoderre]
• Lua: Add support for more advanced syntax [#​2908 @​LaurentGoderre]
• add license field to ELF binary package metadata [#​2890 @​brian-ebarb]
• install.sh: check checksums file's signature [#​2884 #​2941 @​wagoodman]
• Detect ELF package notes from fedora binaries [#​2713 #​2939 @​wagoodman]

Bug Fixes

• Use redhat as namespace for redhat rpms [#​2914 @​ralphbean]
• Close sqlite driver after testing sqlite availability [#​2922 @​ttc0419]
• syft does not find anything in archives if /tmp is a tmpfs [#​2894 #​2918 @​willmurphyscode]
• Scanning a git repository folder present in /tmp produce an empty sbom [#​2847 #​2918 @​willmurphyscode]

Additional Changes

• update unit tests to use pinned patch version [#​2932 @​spiffcs]
• fix comments and spelling [#​2920 @​dufucun]

(Full Changelog)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

[red-hat-konflux]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.