deps: update dependency anchore/syft to v1.18.1 - abandoned

[red-hat-konflux]

This PR contains the following updates:

Package	Update	Change
anchore/syft	minor	1.5.0 -> 1.18.1

---

Release Notes

anchore/syft (anchore/syft)

v1.18.1

Compare Source

Bug Fixes

• Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#​3390]
• SPDX expressions are lost from CycloneDX if they contain extra parenthesis [#​3441 #​3517 @​willmurphyscode]

Additional Changes

• migrate syft to use anchore fork of archiver without replace [#​3516 @​spiffcs]

(Full Changelog)

v1.18.0

Compare Source

Added Features

• convert spdx absolute to relative [#​3509 @​spiffcs]
• Add relationships for rust audit binary packages [#​3500 @​wagoodman]
• support configuration of layer size in Syft [#​3428 #​3464 @​tomersein]
• Support Dart arm/v7 in 3.x and 2.x [#​3278 #​3475 @​witchcraze]

Bug Fixes

• fix order of rust dependencies and support git sources in Cargo.lock dependencies [#​3502 @​willmurphyscode]
• Use file indexer directly when scanning with file source [#​3333 @​adammcclenaghan]
• Remove incorrect power-user help text that only image sources are supported [#​2046]
• Invalid SPDX: missing copyright text [#​3346 #​3495 @​spiffcs]
• Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components [#​3403]

(Full Changelog)

v1.17.0

Compare Source

Added Features

• Surface Rust dependency relationships [#​2353 #​3443 @​willmurphyscode]
• Support node 6.x versions [#​3404 #​3419 @​witchcraze]

Bug Fixes

• Restore log on UI teardown [#​3427 @​wagoodman]
• Syft should log warnings even when no TTY is present [#​3081 #​3466 @​willmurphyscode]
• Special characters (tab, newline) in license URL [#​3122 #​3449 @​spiffcs]
• LicenseDeclared not as per SPDX License List [#​3030 #​3461 @​spiffcs]

Additional Changes

• doc: Add official Syft logo license information [#​3421 @​popey]

(Full Changelog)

v1.16.0

Compare Source

Added Features

• omit devDependencies for package-lock.json files by default [#​2348 #​3371 @​njv299]

Bug Fixes

• add support for dependencies and purl for Native Image SBOMs [#​3399 @​rudsberg]
• stop bubbling fileResolver errors from binary cataloger [#​3410 @​spiffcs]
• malformed pom.xml may cause recursive loop [#​3391 @​kzantow]
• syft convert: broken link in help - documentation no longer existing [#​3143 #​3407 @​Makefolder]

(Full Changelog)

v1.15.0

Compare Source

Added Features

• Merge config files hierarchically and add support for config profiles [#​3337 @​kzantow]
• Enable cargo-auditable-binary-cataloger for files/directories [#​3376 @​ariel-miculas]
• Improve mariadb binary classifer to detect older versions [#​3052]
• Look for dpkg status file at additional globs [#​2692 #​3373 @​njv299]
• Emit relationships for Java dependencies [#​3189 #​3363 @​kzantow]

(Full Changelog)

v1.14.2

Compare Source

Bug Fixes

• Use single license scanner for all catalogers [#​3348 @​wagoodman]
• use official CPE for linux kernel [#​3343 @​westonsteimel]
• improve mariadb binary classifer to detect older versions [#​3339 @​westonsteimel]

Additional Changes

• Update to latest packageurl-go [#​3347 @​wagoodman]

(Full Changelog)

v1.14.1

Compare Source

Bug Fixes

• stop some log.Warn spam due parsing an empty string as a CPE [#​3330 @​willmurphyscode]
• improve go binary semver extraction for traefik [#​3325 @​westonsteimel]

(Full Changelog)

v1.14.0

Compare Source

Added Features

• Report known unknowns directly in the output SBOM [#​518 #​2998 @​kzantow]
• Identify bash.preinst [#​3191 #​3228 @​wagoodman]
• Support HAProxy rc and some old versions [#​3233 #​3277 @​witchcraze]
• Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 [#​3279 #​3281 @​witchcraze]
• Support node old versions [#​3236 #​3284 @​witchcraze]
• Support rubylang/ruby dev versions [#​3239 #​3285 @​witchcraze]
• Support ruby rc, preview [#​3238 #​3285 @​witchcraze]

Bug Fixes

• performance: instantiate license check scanner to prevent memory leak [#​3290 @​govrin]
• Parse package.json with non-standard fields in 'author' section [#​3300 @​nuada]
• make failed CPE validation correctly return error [#​2762 @​willmurphyscode]
• Improve subpath to mount matching [#​3269 @​cdupuis]

Additional Changes

• add pull request template [#​3294 @​willmurphyscode]

(Full Changelog)

v1.13.0

Compare Source

Added Features

• --enrich flag for data enrichment feature enablement [#​3182 @​kzantow]
• Add classifier for Dart lang [#​3265 @​LaurentGoderre]
• add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#​3252 @​krysgor]
• Catalog JDKs more completely [#​3188 #​3217 @​wagoodman]
• Show richer information for JVM installations [#​1426 #​3217 @​wagoodman]
• Allow for stubbing unknown versions over dropping packages [#​2652 #​3257 @​wagoodman]
• Name and Version empty for Java package when scanning provided image [#​2132 #​3257 @​wagoodman]
• Support bitnami/mysql:8.x [#​3025]

Bug Fixes

• OpenJDK CPEs [#​2422 #​3217 @​wagoodman]
• SBOM generated from poetry lock file contains no license information on any dependencies [#​3204]
• Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2039 #​3257 @​wagoodman]
• Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2038 #​3257 @​wagoodman]
• Command make add-snippet can fail in some cases [#​3249]

(Full Changelog)

v1.12.2

Compare Source

Added Features

• Detect curl binaries [#​3146 @​krysgor]
• Add haskell binaries cataloger [#​3078 @​LaurentGoderre]
• add the Ocaml ecosystem [#​3112 @​LaurentGoderre]
• Support HAProxy dev [#​3134 #​3180 @​witchcraze]

Bug Fixes

• Fix improper decoding of SPDX license expressions in the CycloneDX format [#​3175 @​NyanKiyoshi]
• improve generated cpes for binaries with existing classifiers [#​3169 @​westonsteimel]
• improve known CPEs and set NVD as source for all current binary classifiers [#​3167 @​westonsteimel]
• Respond to authoratative CPEs from catalogers [#​3166 @​wagoodman]
• Set cataloger names within package cataloger task [#​3165 @​wagoodman]
• use official CPE for curl binary cataloger [#​3164 @​westonsteimel]
• Fix ELF package correlations [#​3151 @​wagoodman]
• no space left and Could not retrieve mirrorlist in test [#​3181 #​3190 @​wagoodman]
• Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed [#​3195]
• CycloneDX convertion into Syft improperly handles SPDX licenses [#​3172]
• Syft Cause stack overflow [goroutine stack exceeds 1000000-byte limit] [#​3163 #​3170 @​kzantow]
• Mysql binary detection version incorrect for 8.0.x [#​3141 #​3142 @​kzantow]

Additional Changes

• Less verbose java logging when non-fatal issues arise [#​3208 @​wagoodman]

(Full Changelog)

v1.11.1

Compare Source

Bug Fixes

• support .kar files [#​3113 @​tomersein]
• logging for remote network calls [#​3140 @​kzantow]
• Pick up CycloneDX BOM components from metadata as well [#​3092 @​dervoeti]
• improve groupid extraction for Jenkins plugins [#​2815 @​westonsteimel]

(Full Changelog)

v1.11.0

Compare Source

Added Features

• Added the SWI Prolog (swipl) ecosystem [#​3076 @​LaurentGoderre]
• Improved java cataloging [#​2769 @​GijsCalis]

Bug Fixes

• Empty version field on some dependencies when reading pom.xml [#​1129 #​2769 @​GijsCalis]
• Support Maven multi-level configuration file / parent POM [#​2017 #​2769 @​GijsCalis]
• DependencyManagement ignored in pom.xml [#​1813 #​2769 @​GijsCalis]
• Version parsing regression for Go binaries [#​3086 #​3087 @​spiffcs]

Additional Changes

• rather than have a hard max recursive depth - syft should detect parent pom cycles [#​2284 #​2769 @​GijsCalis]
• increase java purl generation test coverage [#​3110 @​westonsteimel]
• Updated PackageSupplier to type Organization for JAR files [#​3093 @​harippriyas]
• Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach [#​3054 @​dor-hayun]

(Full Changelog)

v1.10.0

Compare Source

Added Features

• Detect go main module from partial package builds [#​3060 @​wagoodman]
• Support traefik in linux/arm/v6, linux/riscv64 [#​3038 #​3077 @​witchcraze]
• Catalog TiDB binary [#​2763]
• Generate a Maven friendly CPE [#​3042 #​3045 @​kzantow]

Bug Fixes

• Only match ldflag version if it matches the main module or targets main.version [#​3062 @​LaurentGoderre]
• python requirements.txt cataloger: allow dots in python package names [#​3070 @​Mikcl]
• SPDX output performance with many relationships [#​3053 @​kzantow]
• Order CPEs deterministically for SBOM reproducibility [#​2967 #​3085 @​kzantow]
• Python packages: name normalization [#​3064 #​3069 @​Mikcl]
• Syft report panics with the golang cataloger [#​3037 #​3043 @​willmurphyscode]

Additional Changes

• add debug logging for errors reading RPM files [#​3051 @​kzantow]

(Full Changelog)

v1.9.0

Compare Source

Added Features

• Add detection of Erlang in Alpine linux [#​2996 @​LaurentGoderre]
• Add version 3 support for swift package manager of the resolved files [#​3001 @​4ell0]
• Map the downloadLocation field for PHP Composer packages [#​3011 @​LaurentGoderre]

Bug Fixes

• Infer the package type from ELF package notes [#​3008 @​wagoodman]
• Order CPEs deterministically for SBOM reproducibility [#​2967 #​3009 @​spiffcs]

(Full Changelog)

v1.8.0

Compare Source

Added Features

• Add CycloneDX 1.6 Support [#​2974 #​2978 @​ragaskar]

Bug Fixes

• Fixed the detection of arangodb 3.12 [#​2979 @​LaurentGoderre]
• Syft tries to create the cache directory at a location that has no permission [#​2984 #​2985 @​kzantow]

(Full Changelog)

v1.7.0

Compare Source

Added Features

• index known CPEs for wordpress plugins and themes [#​2963 @​westonsteimel]
• Consider Author field for wordpress plugins when generating CPEs [#​2946 @​wagoodman]

Bug Fixes

• improve version extraction from ldflags for pingcap TiDB [#​2962 @​westonsteimel]
• Trim whitespace from wordpress values [#​2945 @​wagoodman]
• Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#​2954 #​2965 @​spiffcs]
• Poetry's multiple constraints seems to break the parser [#​2947 #​2965 @​spiffcs]
• Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#​2798 #​2852 @​kzantow]

(Full Changelog)

v1.6.0

Compare Source

Added Features

• Add relationships for go binary packages [#​2912 @​wagoodman]
• Add classifier for util-linux [#​2933 @​LaurentGoderre]
• Lua: Add support for more advanced syntax [#​2908 @​LaurentGoderre]
• add license field to ELF binary package metadata [#​2890 @​brian-ebarb]
• install.sh: check checksums file's signature [#​2884 #​2941 @​wagoodman]
• Detect ELF package notes from fedora binaries [#​2713 #​2939 @​wagoodman]

Bug Fixes

• Use redhat as namespace for redhat rpms [#​2914 @​ralphbean]
• Close sqlite driver after testing sqlite availability [#​2922 @​ttc0419]
• syft does not find anything in archives if /tmp is a tmpfs [#​2894 #​2918 @​willmurphyscode]
• Scanning a git repository folder present in /tmp produce an empty sbom [#​2847 #​2918 @​willmurphyscode]

Additional Changes

• update unit tests to use pinned patch version [#​2932 @​spiffcs]
• fix comments and spelling [#​2920 @​dufucun]

(Full Changelog)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

This PR has been generated by MintMaker (powered by Renovate Bot).

[red-hat-konflux]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[red-hat-konflux]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.