chore(deps): update anchore dependencies (#4098)

* chore(deps): update anchore dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * address reader close operations Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-17 08:23:15 +01:00 · 2025-07-30 17:23:07 +00:00 · 2025-07-30 17:23:07 +00:00 · bd79463e77
commit bd79463e77
parent 8a7302c5cf
4 changed files with 5 additions and 6 deletions
--- a/go.mod
+++ b/go.mod
@ -24,7 +24,7 @@ require (
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
 	github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115
-	github.com/anchore/stereoscope v0.1.7
+	github.com/anchore/stereoscope v0.1.8-0.20250730154018-49677c5895c6
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef
--- a/go.sum
+++ b/go.sum
@ -694,8 +694,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY=
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
-github.com/anchore/stereoscope v0.1.7 h1:lfxOwiTmIMCjoHm8NNnE/KyAPrkWD28xSSM3xANIKdw=
+github.com/anchore/stereoscope v0.1.8-0.20250730154018-49677c5895c6 h1:NZCXk1HsfLDNbEmQdnM10xPOhWBn2ZLT+6m4zNWkoyA=
-github.com/anchore/stereoscope v0.1.7/go.mod h1:YlrdUIQeJze0jYQbcxyi2m6p9r8emHhcB5ouXGIg77Q=
+github.com/anchore/stereoscope v0.1.8-0.20250730154018-49677c5895c6/go.mod h1:VA9zyFcUzN7GIFsXfe8lj3Z6Ocs4CP5QZqbmFc1I7ag=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3 h1:8PmGpDEZl9yDpcdEr6Odf23feCxK3LNUNMxjXg41pZQ=
--- a/syft/pkg/cataloger/debian/package.go
+++ b/syft/pkg/cataloger/debian/package.go
@ -133,6 +133,7 @@ func addLicenses(ctx context.Context, resolver file.Resolver, dbLocation file.Lo
 	if len(licenseStrs) == 0 {
 		sr, sl := fetchCopyrightContents(resolver, dbLocation, metadata)
 		if sr != nil && sl != nil {
 			defer internal.CloseAndLogError(sr, sl.AccessPath)
 			p.Licenses.Add(pkg.NewLicensesFromReadCloserWithContext(ctx, file.NewLocationReadCloser(*sl, sr))...)
 		}
 	}
@ -292,11 +293,10 @@ func fetchCopyrightContents(resolver file.Resolver, dbLocation file.Location, m
 		return nil, nil
 	}
-	reader, err := resolver.FileContentsByLocation(*location)
+	reader, err := resolver.FileContentsByLocation(*location) //nolint:gocritic // since we're returning the reader, it's up to the caller to close it
 	if err != nil {
 		log.Tracef("failed to fetch deb copyright contents (package=%s): %s", m.Package, err)
 	}
 	defer internal.CloseAndLogError(reader, location.RealPath)
 	l := location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.SupportingEvidenceAnnotation)
--- a/syft/pkg/cataloger/dotnet/libman_json.go
+++ b/syft/pkg/cataloger/dotnet/libman_json.go
@ -98,7 +98,6 @@ func findLibmanJSON(resolver file.Resolver, depsJSON file.Location) (*libmanJSON
 	if err != nil {
 		return nil, err
 	}
 	internal.CloseAndLogError(reader, loc.RealPath)
 	lj, err := newLibmanJSON(file.NewLocationReadCloser(*loc, reader))
 	if err != nil {