deps: update module github.com/anchore/syft to v1.16.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/anchore/syft	v1.11.1 -> v1.16.0

---

Release Notes

anchore/syft (github.com/anchore/syft)

v1.16.0

Compare Source

Added Features

• omit devDependencies for package-lock.json files by default [#​2348 #​3371 @​njv299]

Bug Fixes

• add support for dependencies and purl for Native Image SBOMs [#​3399 @​rudsberg]
• stop bubbling fileResolver errors from binary cataloger [#​3410 @​spiffcs]
• malformed pom.xml may cause recursive loop [#​3391 @​kzantow]
• syft convert: broken link in help - documentation no longer existing [#​3143 #​3407 @​Makefolder]

(Full Changelog)

v1.15.0

Compare Source

Added Features

• Merge config files hierarchically and add support for config profiles [#​3337 @​kzantow]
• Enable cargo-auditable-binary-cataloger for files/directories [#​3376 @​ariel-miculas]
• Improve mariadb binary classifer to detect older versions [#​3052]
• Look for dpkg status file at additional globs [#​2692 #​3373 @​njv299]
• Emit relationships for Java dependencies [#​3189 #​3363 @​kzantow]

(Full Changelog)

v1.14.2

Compare Source

Bug Fixes

• Use single license scanner for all catalogers [#​3348 @​wagoodman]
• use official CPE for linux kernel [#​3343 @​westonsteimel]
• improve mariadb binary classifer to detect older versions [#​3339 @​westonsteimel]

Additional Changes

• Update to latest packageurl-go [#​3347 @​wagoodman]

(Full Changelog)

v1.14.1

Compare Source

Bug Fixes

• stop some log.Warn spam due parsing an empty string as a CPE [#​3330 @​willmurphyscode]
• improve go binary semver extraction for traefik [#​3325 @​westonsteimel]

(Full Changelog)

v1.14.0

Compare Source

Added Features

• Report known unknowns directly in the output SBOM [#​518 #​2998 @​kzantow]
• Identify bash.preinst [#​3191 #​3228 @​wagoodman]
• Support HAProxy rc and some old versions [#​3233 #​3277 @​witchcraze]
• Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 [#​3279 #​3281 @​witchcraze]
• Support node old versions [#​3236 #​3284 @​witchcraze]
• Support rubylang/ruby dev versions [#​3239 #​3285 @​witchcraze]
• Support ruby rc, preview [#​3238 #​3285 @​witchcraze]

Bug Fixes

• performance: instantiate license check scanner to prevent memory leak [#​3290 @​govrin]
• Parse package.json with non-standard fields in 'author' section [#​3300 @​nuada]
• make failed CPE validation correctly return error [#​2762 @​willmurphyscode]
• Improve subpath to mount matching [#​3269 @​cdupuis]

Additional Changes

• add pull request template [#​3294 @​willmurphyscode]

(Full Changelog)

v1.13.0

Compare Source

Added Features

• --enrich flag for data enrichment feature enablement [#​3182 @​kzantow]
• Add classifier for Dart lang [#​3265 @​LaurentGoderre]
• add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#​3252 @​krysgor]
• Catalog JDKs more completely [#​3188 #​3217 @​wagoodman]
• Show richer information for JVM installations [#​1426 #​3217 @​wagoodman]
• Allow for stubbing unknown versions over dropping packages [#​2652 #​3257 @​wagoodman]
• Name and Version empty for Java package when scanning provided image [#​2132 #​3257 @​wagoodman]
• Support bitnami/mysql:8.x [#​3025]

Bug Fixes

• OpenJDK CPEs [#​2422 #​3217 @​wagoodman]
• SBOM generated from poetry lock file contains no license information on any dependencies [#​3204]
• Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2039 #​3257 @​wagoodman]
• Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2038 #​3257 @​wagoodman]
• Command make add-snippet can fail in some cases [#​3249]

(Full Changelog)

v1.12.2

Compare Source

Added Features

• Detect curl binaries [#​3146 @​krysgor]
• Add haskell binaries cataloger [#​3078 @​LaurentGoderre]
• add the Ocaml ecosystem [#​3112 @​LaurentGoderre]
• Support HAProxy dev [#​3134 #​3180 @​witchcraze]

Bug Fixes

• Fix improper decoding of SPDX license expressions in the CycloneDX format [#​3175 @​NyanKiyoshi]
• improve generated cpes for binaries with existing classifiers [#​3169 @​westonsteimel]
• improve known CPEs and set NVD as source for all current binary classifiers [#​3167 @​westonsteimel]
• Respond to authoratative CPEs from catalogers [#​3166 @​wagoodman]
• Set cataloger names within package cataloger task [#​3165 @​wagoodman]
• use official CPE for curl binary cataloger [#​3164 @​westonsteimel]
• Fix ELF package correlations [#​3151 @​wagoodman]
• no space left and Could not retrieve mirrorlist in test [#​3181 #​3190 @​wagoodman]
• Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed [#​3195]
• CycloneDX convertion into Syft improperly handles SPDX licenses [#​3172]
• Syft Cause stack overflow [goroutine stack exceeds 1000000-byte limit] [#​3163 #​3170 @​kzantow]
• Mysql binary detection version incorrect for 8.0.x [#​3141 #​3142 @​kzantow]

Additional Changes

• Less verbose java logging when non-fatal issues arise [#​3208 @​wagoodman]

(Full Changelog)

v1.12.1

Compare Source

v1.12.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 45 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.5 -> 1.23.3
github.com/anchore/stereoscope	v0.0.3 -> v0.0.6-0.20241101185849-cbd43fb4e5d3
dario.cat/mergo	v1.0.0 -> v1.0.1
github.com/CycloneDX/cyclonedx-go	v0.9.0 -> v0.9.1
github.com/Masterminds/semver/v3	v3.2.0 -> v3.3.0
github.com/Masterminds/sprig/v3	v3.2.3 -> v3.3.0
github.com/Microsoft/go-winio	v0.6.1 -> v0.6.2
github.com/Microsoft/hcsshim	v0.11.4 -> v0.11.7
github.com/adrg/xdg	v0.5.0 -> v0.5.3
github.com/anchore/clio	v0.0.0-20240522144804-d81e109008aa -> v0.0.0-20241015191535-f538a9016e10
github.com/anchore/fangs	v0.0.0-20240508143433-f016b099950f -> v0.0.0-20241014201141-b6e4b3469f10
github.com/anchore/packageurl-go	v0.1.1-0.20240507183024-848e011fc24f -> v0.1.1-0.20241018175412-5c22e6360c4f
github.com/bmatcuk/doublestar/v4	v4.6.1 -> v4.7.1
github.com/charmbracelet/lipgloss	v0.12.1 -> v1.0.0
github.com/charmbracelet/x/ansi	v0.1.4 -> v0.4.2
github.com/containerd/containerd	v1.7.13 -> v1.7.23
github.com/containerd/ttrpc	v1.2.2 -> v1.2.5
github.com/cyphar/filepath-securejoin	v0.2.4 -> v0.2.5
github.com/docker/cli	v27.1.1+incompatible -> v27.3.1+incompatible
github.com/docker/docker	v27.1.2+incompatible -> v27.3.1+incompatible
github.com/felixge/httpsnoop	v1.0.3 -> v1.0.4
github.com/gabriel-vasile/mimetype	v1.4.4 -> v1.4.6
github.com/github/go-spdx/v2	v2.3.1 -> v2.3.2
github.com/go-git/go-billy/v5	v5.5.0 -> v5.6.0
github.com/huandu/xstrings	v1.3.3 -> v1.5.0
github.com/mattn/go-runewidth	v0.0.15 -> v0.0.16
github.com/moby/sys/user	v0.1.0 -> v0.3.0
github.com/pelletier/go-toml/v2	v2.1.0 -> v2.2.2
github.com/shopspring/decimal	v1.2.0 -> v1.4.0
github.com/spf13/cast	v1.6.0 -> v1.7.0
github.com/spf13/viper	v1.18.2 -> v1.19.0
github.com/sylabs/sif/v2	v2.17.1 -> v2.19.2
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.45.0 -> v0.49.0
go.opentelemetry.io/otel	v1.19.0 -> v1.24.0
go.opentelemetry.io/otel/metric	v1.19.0 -> v1.24.0
go.opentelemetry.io/otel/trace	v1.19.0 -> v1.24.0
golang.org/x/crypto	v0.27.0 -> v0.28.0
golang.org/x/mod	v0.20.0 -> v0.21.0
google.golang.org/genproto	v0.0.0-20231106174013-bbf56f31fb17 -> v0.0.0-20240213162025-012b6fc9bca9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20231120223509-83a465c0220f -> v0.0.0-20240314234333-6e1732d8331c
google.golang.org/grpc	v1.59.0 -> v1.62.1
golang.org/x/net	v0.28.0 -> v0.30.0
golang.org/x/sys	v0.25.0 -> v0.26.0
golang.org/x/term	v0.24.0 -> v0.25.0
golang.org/x/text	v0.18.0 -> v0.19.0
google.golang.org/appengine	v1.6.7 -> v1.6.8