From bd79463e77cafea8939d7854768d5603ffdb7f87 Mon Sep 17 00:00:00 2001 From: "anchore-actions-token-generator[bot]" <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Date: Wed, 30 Jul 2025 17:23:07 +0000 Subject: [PATCH] chore(deps): update anchore dependencies (#4098) * chore(deps): update anchore dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * address reader close operations Signed-off-by: Alex Goodman --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Alex Goodman Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman --- go.mod | 2 +- go.sum | 4 ++-- syft/pkg/cataloger/debian/package.go | 4 ++-- syft/pkg/cataloger/dotnet/libman_json.go | 1 - 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index f19f616fe..89f4ec80a 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 - github.com/anchore/stereoscope v0.1.7 + github.com/anchore/stereoscope v0.1.8-0.20250730154018-49677c5895c6 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be github.com/aquasecurity/go-pep440-version v0.0.1 github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef diff --git a/go.sum b/go.sum index f40dd3543..5e3cc2e78 100644 --- a/go.sum +++ b/go.sum @@ -694,8 +694,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY= github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI= -github.com/anchore/stereoscope v0.1.7 h1:lfxOwiTmIMCjoHm8NNnE/KyAPrkWD28xSSM3xANIKdw= -github.com/anchore/stereoscope v0.1.7/go.mod h1:YlrdUIQeJze0jYQbcxyi2m6p9r8emHhcB5ouXGIg77Q= +github.com/anchore/stereoscope v0.1.8-0.20250730154018-49677c5895c6 h1:NZCXk1HsfLDNbEmQdnM10xPOhWBn2ZLT+6m4zNWkoyA= +github.com/anchore/stereoscope v0.1.8-0.20250730154018-49677c5895c6/go.mod h1:VA9zyFcUzN7GIFsXfe8lj3Z6Ocs4CP5QZqbmFc1I7ag= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3 h1:8PmGpDEZl9yDpcdEr6Odf23feCxK3LNUNMxjXg41pZQ= diff --git a/syft/pkg/cataloger/debian/package.go b/syft/pkg/cataloger/debian/package.go index 5dd3c8c17..88102da6e 100644 --- a/syft/pkg/cataloger/debian/package.go +++ b/syft/pkg/cataloger/debian/package.go @@ -133,6 +133,7 @@ func addLicenses(ctx context.Context, resolver file.Resolver, dbLocation file.Lo if len(licenseStrs) == 0 { sr, sl := fetchCopyrightContents(resolver, dbLocation, metadata) if sr != nil && sl != nil { + defer internal.CloseAndLogError(sr, sl.AccessPath) p.Licenses.Add(pkg.NewLicensesFromReadCloserWithContext(ctx, file.NewLocationReadCloser(*sl, sr))...) } } @@ -292,11 +293,10 @@ func fetchCopyrightContents(resolver file.Resolver, dbLocation file.Location, m return nil, nil } - reader, err := resolver.FileContentsByLocation(*location) + reader, err := resolver.FileContentsByLocation(*location) //nolint:gocritic // since we're returning the reader, it's up to the caller to close it if err != nil { log.Tracef("failed to fetch deb copyright contents (package=%s): %s", m.Package, err) } - defer internal.CloseAndLogError(reader, location.RealPath) l := location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.SupportingEvidenceAnnotation) diff --git a/syft/pkg/cataloger/dotnet/libman_json.go b/syft/pkg/cataloger/dotnet/libman_json.go index 4483a5cb4..7f585eb08 100644 --- a/syft/pkg/cataloger/dotnet/libman_json.go +++ b/syft/pkg/cataloger/dotnet/libman_json.go @@ -98,7 +98,6 @@ func findLibmanJSON(resolver file.Resolver, depsJSON file.Location) (*libmanJSON if err != nil { return nil, err } - internal.CloseAndLogError(reader, loc.RealPath) lj, err := newLibmanJSON(file.NewLocationReadCloser(*loc, reader)) if err != nil {