chore(deps): update tools to latest versions (#4630)

* chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(lint): fix errors in new golangci-lint

Two fixes:

First, replace sb.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...)
Second, suppress errors where we read from the local file system at a
user provided path. This is a CLI tool, and reads from user provided
paths on the local file system by design.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>

.binny.yaml

@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v2.9.0
+      want: v2.11.2
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -42,7 +42,7 @@ tools:
   # used for signing the checksums file at release
   - name: cosign
     version:
-      want: v3.0.4
+      want: v3.0.5
     method: github-release
     with:
       repo: sigstore/cosign
@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v2.13.3
+      want: v2.14.2
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -90,7 +90,7 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.48.0
+      want: v3.49.1
     method: github-release
     with:
       repo: go-task/task
@@ -98,7 +98,7 @@ tools:
   # used for triggering a release
   - name: gh
     version:
-      want: v2.86.0
+      want: v2.87.3
     method: github-release
     with:
       repo: cli/cli

cmd/syft/cli/ui/handle_attestation.go

@@ -219,7 +219,7 @@ func (l attestLogFrame) View() string {
 	sb := strings.Builder{}
 
 	for _, line := range l.lines {
-		sb.WriteString(fmt.Sprintf("     %s %s\n", l.borderStype.Render("░░"), line))
+		fmt.Fprintf(&sb, "     %s %s\n", l.borderStype.Render("░░"), line)
 	}
 
 	return sb.String()

cmd/syft/internal/options/writer.go

@@ -122,7 +122,7 @@ func formatVersionOptions(nameVersionPairs []string) string {
 	for _, name := range sortedAvailableFormats {
 		s.WriteString("\n")
 
-		s.WriteString(fmt.Sprintf("   - %s", name))
+		fmt.Fprintf(&s, "   - %s", name)
 
 		if len(availableVersions[name]) > 0 {
 			s.WriteString(" @ ")

examples/decode_sbom/main.go

@@ -44,7 +44,8 @@ func sbomReader() io.Reader {
 		reader = strings.NewReader(sbomContents)
 	} else {
 		var err error
-		reader, err = os.Open(os.Args[1])
+		// suppress gosec error: reads from local file system by design
+		reader, err = os.Open(os.Args[1]) //nolint:gosec
 		if err != nil {
 			panic(err)
 		}

syft/pkg/cataloger/golang/upx.go

@@ -509,7 +509,7 @@ func decompressLZMA(compressedData []byte, uncompressedSize uint32) ([]byte, err
 
 	// construct standard 13-byte LZMA header
 	header := make([]byte, 13)
-	header[0] = props //nolint:gosec
+	header[0] = props
 	binary.LittleEndian.PutUint32(header[1:5], dictSize)
 	binary.LittleEndian.PutUint64(header[5:13], uint64(uncompressedSize))
 

syft/pkg/cataloger/lua/rockspec_parser.go

@@ -376,7 +376,7 @@ out:
 			if c != ']' {
 				return "", fmt.Errorf("unterminated literal at %d", *i)
 			}
-			buf.WriteString(fmt.Sprintf("[\"%s\"]", nested.String()))
+			fmt.Fprintf(&buf, "[\"%s\"]", nested.String())
 		case isLiteral(c):
 			buf.WriteByte(c)
 		default: