.binny.yaml

@@ -1,13 +1,8 @@
-# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
-cooldown: 7d
-
 tools:
-  ## internal tools ############################################################################
-
   # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
   - name: binny
     version:
-      want: v0.13.0
+      want: v0.11.3
     method: github-release
     with:
       repo: anchore/binny
@@ -15,7 +10,7 @@ tools:
   # used to produce SBOMs during release
   - name: syft
     version:
-      want: v1.42.3
+      want: latest
     method: github-release
     with:
       repo: anchore/syft
@@ -23,25 +18,15 @@ tools:
   # used to sign mac binaries at release
   - name: quill
     version:
-      want: v0.7.1
+      want: v0.5.1
     method: github-release
     with:
       repo: anchore/quill
 
-  # used at release to generate the changelog
-  - name: chronicle
-    version:
-      want: v0.8.0
-    method: github-release
-    with:
-      repo: anchore/chronicle
-
-  ## external tools ############################################################################
-
   # used for linting
   - name: golangci-lint
     version:
-      want: v2.11.4
+      want: v2.9.0
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -57,7 +42,7 @@ tools:
   # used for signing the checksums file at release
   - name: cosign
     version:
-      want: v3.0.5
+      want: v3.0.4
     method: github-release
     with:
       repo: sigstore/cosign
@@ -73,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v2.15.2
+      want: v2.13.3
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -86,6 +71,14 @@ tools:
     with:
       repo: rinchsan/gosimports
 
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
   # used during static analysis for license compliance
   - name: bouncer
     version:
@@ -97,7 +90,7 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.49.1
+      want: v3.48.0
     method: github-release
     with:
       repo: go-task/task
@@ -105,7 +98,7 @@ tools:
   # used for triggering a release
   - name: gh
     version:
-      want: v2.89.0
+      want: v2.86.0
     method: github-release
     with:
       repo: cli/cli
@@ -113,7 +106,7 @@ tools:
   # used to upload test fixture cache
   - name: oras
     version:
-      want: v1.3.1
+      want: v1.3.0
     method: github-release
     with:
       repo: oras-project/oras
@@ -121,7 +114,7 @@ tools:
   # used to upload test fixture cache
   - name: yq
     version:
-      want: v4.52.5
+      want: v4.52.4
     method: github-release
     with:
       repo: mikefarah/yq

.github/actions/bootstrap/action.yaml

@@ -5,7 +5,7 @@ inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.26.x"
+    default: "1.25.x"
   go-dependencies:
     description: "Download go dependencies"
     required: true
@@ -29,7 +29,7 @@ runs:
   using: "composite"
   steps:
     # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+    - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
       if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}

.github/dependabot.yml

@@ -23,11 +23,6 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
-    ignore:
-      - dependency-name: "github.com/aquasecurity/go-pep440-version"
-      - dependency-name: "github.com/aquasecurity/go-version"
-      - dependency-name: "github.com/knqyf263/go-apk-version"
-      - dependency-name: "github.com/knqyf263/go-deb-version"
     groups:
       go-minor-patch:
         applies-to: version-updates  # security updates get individual PRs
@@ -40,7 +35,7 @@ updates:
   - package-ecosystem: "github-actions"
     directories:
       - "/"
-      - "/.github/actions/*"
+      - "/.github/actions/bootstrap"
     cooldown:
       default-days: 7
     schedule:

.github/scripts/capability-drift-check.sh

@@ -6,7 +6,7 @@ if [ "$(git status --porcelain | wc -l)" -ne "0" ]; then
   exit 1
 fi
 
-if ! make generate-capabilities REFRESH=false; then
+if ! make generate-capabilities; then
   echo "Generating capability descriptions failed"
   exit 1
 fi

.github/scripts/fingerprint_docker_fixtures.py

@@ -33,9 +33,9 @@ def is_git_tracked_or_untracked(directory):
 
 
 def find_test_fixture_dirs_with_images(base_dir):
-    """Find directories that contain 'testdata' and at least one 'image-*' directory."""
+    """Find directories that contain 'test-fixtures' and at least one 'image-*' directory."""
     for root, dirs, files in os.walk(base_dir):
-        if 'testdata' in root:
+        if 'test-fixtures' in root:
             image_dirs = [d for d in dirs if d.startswith('image-')]
             if image_dirs:
                 yield os.path.realpath(root)

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,76 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL Security Scan"
+
+on:
+  push:
+    branches:
+      # only run when there are pushes to the main branch (not on PRs)
+      - main
+
+  schedule:
+    - cron: '0 0 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04-4core-16gb
+    if: github.repository == 'anchore/syft' # only run for main repo
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['go', 'python']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      with:
+        persist-credentials: false
+
+    - name: Install Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 #v6.2.0
+      with:
+        go-version-file: go.mod
+        check-latest: true
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10

.github/workflows/codeql.yaml

@@ -1,81 +0,0 @@
-# CodeQL scans for security vulnerabilities and coding errors across all
-# languages in this repo. Results appear in the "Security" tab under
-# "Code scanning alerts" and are enforced by branch protection rules.
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-  # Weekly scheduled scan catches newly disclosed vulnerabilities in
-  # existing code, not just changes introduced by PRs.
-  schedule:
-    - cron: '38 11 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
-    permissions:
-      # Required to upload SARIF results to the "Security" tab.
-      security-events: write
-      # Required to fetch internal or private CodeQL packs.
-      packages: read
-      # Only required for workflows in private repositories.
-      actions: read
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # GitHub Actions workflow linting — no build needed.
-          - language: actions
-            build-mode: none
-
-          # Go uses "manual" build mode so we control exactly what gets
-          # compiled. The default "autobuild" finds the Makefile and runs
-          # the full CI pipeline (lint, test, snapshot release, etc.),
-          # which is far more work than CodeQL needs. All it requires is
-          # compiled Go source so it can build a type-resolved code graph
-          # for analysis.
-          - language: go
-            build-mode: manual
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-        with:
-          persist-credentials: false
-
-      # Pin the Go toolchain to whatever go.mod declares so CodeQL
-      # analyzes with the same version the project actually uses.
-      # Only runs for the Go matrix entry.
-      - name: Setup Go
-        if: matrix.language == 'go'
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version-file: go.mod
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-
-      # Minimal build for Go: compile all packages so CodeQL gets a full
-      # type-resolved code graph for analysis.
-      - name: Build (Go)
-        if: matrix.build-mode == 'manual'
-        shell: bash
-        run: go build ./...
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          # The category tag lets GitHub associate SARIF results with the
-          # correct language when branch protection checks for required
-          # code scanning results.
-          category: "/language:${{matrix.language}}"

.github/workflows/detect-schema-changes.yaml

@@ -1,5 +1,3 @@
-# Note: this workflow has been disabled manually in the UI and will be replaced in short order
-
 name: "Detect schema changes"
 
 on:
@@ -39,8 +37,6 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
-          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
-          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
 
       - run: python .github/scripts/labeler.py
         env:
@@ -50,7 +46,7 @@ jobs:
 
       - name: Delete existing comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
         with:
           header: ${{ env.COMMENT_HEADER }}
           hide: true
@@ -58,7 +54,7 @@ jobs:
 
       - name: Add comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
         with:
           header: ${{ env.COMMENT_HEADER }}
           path: ${{ env.CI_COMMENT_FILE }}

.github/workflows/release.yaml

@@ -150,13 +150,13 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  #v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  #v3.7.0
         with:
           username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
           password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  #v4.0.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  #v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -186,14 +186,14 @@ jobs:
           # for updating brew formula in anchore/homebrew-syft
           GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
 
-      - uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 #v0.23.0
+      - uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad #v0.22.2
         continue-on-error: true
         with:
           file: go.mod
           artifact-name: sbom.spdx.json
 
       - name: Notify Slack of new release
-        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
         continue-on-error: true
         with:
           webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}

.github/workflows/test-fixture-cache-publish.yaml

@@ -0,0 +1,48 @@
+name: "Test fixture cache: publish"
+
+on:
+  workflow_dispatch:
+  schedule:
+    # run nightly at 4AM UTC
+    - cron: "0 4 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+
+  Publish:
+    name: "Publish test fixture image cache"
+    # runs-on.com: general purpose instances for building test fixture cache
+    #   spot disabled: can run up to an hour, avoid interruptions
+    #   s3-cache: faster actions cache
+    #   family: note that m*d instances have local nvme storage which is beneficial for building large test fixture images
+    runs-on: "runs-on=${{ github.run_id }}/cpu=8+16/ram=32+64/family=m5d+m5ad+m5dn+m6gd+m6id+m6idn+m7gd+m8gd/spot=false/extras=s3-cache"
+    if: github.repository == 'anchore/syft' # only run for main repo
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          # we want to rebuild the cache with no previous state
+          download-test-fixture-cache: false
+
+      - name: Run all tests
+        run: |
+          make test
+        env:
+          # we want to rebuild the cache with no previous state
+          DOWNLOAD_TEST_FIXTURE_CACHE: "false"
+
+      - name: Login to GitHub Container Registry (ORAS)
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
+        env:
+          ACTOR: ${{ github.actor }}
+
+      - name: Publish test fixture cache
+        run: make upload-test-fixture-cache

.github/workflows/update-anchore-dependencies.yml

@@ -0,0 +1,51 @@
+name: PR to update Anchore dependencies
+on:
+  workflow_dispatch:
+    inputs:
+      repos:
+        description: "List of dependencies to update"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'anchore' # only run for main repo (not forks)
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          tools: false
+          bootstrap-apt-packages: ""
+
+      - name: Update dependencies
+        id: update
+        uses: anchore/workflows/.github/actions/update-go-dependencies@main
+        with:
+          repos: ${{ github.event.inputs.repos }}
+
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          draft: ${{ steps.update.outputs.draft }}
+          # do not change this branch, as other workflows depend on it
+          branch: auto/integration
+          labels: dependencies,pre-release
+          commit-message: "chore(deps): update anchore dependencies"
+          title: "chore(deps): update anchore dependencies"
+          body: ${{ steps.update.outputs.summary }}
+          token: ${{ steps.generate-token.outputs.token }}

.github/workflows/update-bootstrap-tools.yml

@@ -0,0 +1,67 @@
+name: PR for latest versions of tools
+on:
+  schedule:
+    - cron: "0 8 * * *" # 3 AM EST
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-bootstrap-tools:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          bootstrap-apt-packages: ""
+          go-dependencies: false
+
+      - name: "Update tool versions"
+        id: latest-versions
+        run: |
+          make update-tools
+          make list-tools
+          
+          export NO_COLOR=1
+          delimiter="$(openssl rand -hex 8)"
+          
+          {
+            echo "status<<${delimiter}"
+            make list-tool-updates
+            echo "${delimiter}"
+          } >> $GITHUB_OUTPUT
+          
+          {
+            echo "### Tool version status"
+            echo "\`\`\`"
+            make list-tool-updates
+            echo "\`\`\`"
+          } >> $GITHUB_STEP_SUMMARY
+
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-tools
+          labels: dependencies
+          commit-message: 'chore(deps): update tools to latest versions'
+          title: 'chore(deps): update tools to latest versions'
+          body: |
+            ```
+            ${{ steps.latest-versions.outputs.status }}
+            ```
+            This is an auto-generated pull request to update all of the tools to the latest versions.
+          token: ${{ steps.generate-token.outputs.token }}

.github/workflows/update-cpe-dictionary-index.yml

@@ -0,0 +1,84 @@
+name: PR to update CPE dictionary index
+on:
+  schedule:
+    - cron: "0 1 * * 1" # every monday at 1 AM
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  SLACK_NOTIFICATIONS: true
+
+jobs:
+  upgrade-cpe-dictionary-index:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        id: bootstrap
+
+      - name: Login to GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
+        env:
+          ACTOR: ${{ github.actor }}
+
+      - name: Pull CPE cache from registry
+        run: make generate:cpe-index:cache:pull
+
+      - name: Update CPE cache from NVD API
+        run: make generate:cpe-index:cache:update
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+
+      - name: Generate CPE dictionary index
+        run: make generate:cpe-index:build
+
+      - name: Push updated CPE cache to registry
+        run: make generate:cpe-index:cache:push
+
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-cpe-dictionary-index
+          labels: dependencies
+          commit-message: "chore(deps): update CPE dictionary index"
+          title: "chore(deps): update CPE dictionary index"
+          body: |
+            Update CPE dictionary index based on the latest available CPE dictionary
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Notify Slack on failure
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        with:
+          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "Syft CPE dictionary index update failed"
+            blocks:
+              - type: section
+                text:
+                  type: mrkdwn
+                  text: |
+                    *Syft CPE dictionary index update failed*
+                    • Workflow: `${{ github.workflow }}`
+                    • Event: `${{ github.event_name }}`
+                    • Job Status: `${{ job.status }}`
+                    • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>
+        if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}

.github/workflows/update-spdx-license-list.yaml

@@ -0,0 +1,64 @@
+name: PR to update SPDX license list
+on:
+  schedule:
+    - cron: "0 6 * * 1" # every monday at 6 AM UTC
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  SLACK_NOTIFICATIONS: true
+
+jobs:
+  upgrade-spdx-license-list:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
+      - run: |
+          make generate-license-list
+
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-spdx-license-list
+          labels: dependencies
+          commit-message: "chore(deps): update SPDX license list"
+          title: "chore(deps): update SPDX license list"
+          body: |
+            Update SPDX license list based on the latest available list from spdx.org
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Notify Slack on failure
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        with:
+          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "Syft SPDX license list update failed"
+            blocks:
+              - type: section
+                text:
+                  type: mrkdwn
+                  text: |
+                    *Syft SPDX license list update failed*
+                    • Workflow: `${{ github.workflow }}`
+                    • Event: `${{ github.event_name }}`
+                    • Job Status: `${{ job.status }}`
+                    • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>
+        if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}

.github/workflows/validate-github-actions.yaml

@@ -1,8 +1,10 @@
 name: "Validate GitHub Actions"
 
 on:
-  workflow_dispatch:
   pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
   push:
     branches:
       - main
@@ -26,8 +28,9 @@ jobs:
           persist-credentials: false
 
       - name: "Run zizmor"
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
         with:
-          # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
-          advanced-security: true
+          config: .github/zizmor.yml
+          # Disable SARIF upload so the step is a simple pass/fail gate
+          advanced-security: false
           inputs: .github

.github/workflows/validations.yaml

@@ -58,9 +58,6 @@ jobs:
       - name: Run unit tests
         run: make unit
 
-      - name: Check for capability drift
-        run: make check-capability-drift
-
   Integration-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Integration tests"
@@ -109,7 +106,7 @@ jobs:
         run: make snapshot-smoke-test
 
       - name: Upload snapshot artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
         with:
           name: snapshot
           path: snapshot/
@@ -134,7 +131,7 @@ jobs:
           download-test-fixture-cache: true
 
       - name: Download snapshot artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
         with:
           name: snapshot
           path: snapshot
@@ -178,7 +175,7 @@ jobs:
           download-test-fixture-cache: true
 
       - name: Download snapshot artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
         with:
           name: snapshot
           path: snapshot
@@ -211,7 +208,7 @@ jobs:
           download-test-fixture-cache: true
 
       - name: Download snapshot artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
         with:
           name: snapshot
           path: snapshot

.gitignore

@@ -37,7 +37,6 @@ VERSION
 coverage.txt
 *.log
 **/test-fixtures/test-observations.json
-**/testdata/test-observations.json
 
 # probable archives
 .images

SECURITY.md

@@ -14,23 +14,3 @@ affected versions, and, if known, mitigations for the issue.
 All support will be made on a best effort basis, so please indicate the "urgency level" of the vulnerability as Critical, High, Medium or Low.
 
 For more details, see our [security policy documentation](https://oss.anchore.com/docs/contributing/security/).
-
-## Trust Boundary
-
-Syft is a tool to scan content and product an SBOM. Syft is not a tool designed to scan malicious content. Detecting and properly reporting on purposely malicious artifacts is outside the scope of Syft's expected operating environment.
-
-There are many possible ways for malicious content to cause Syft to become confused or fail to include results in an SBOM. We do not consider this to be a security vulnerability.
-
-**Examples**
-- Removing or altering a package lock file
-- Removing or altering an RPM or DEB database
-- A malicious archive that Syft will skip but the runtime may not
-- Self modifying systems that change state when running
-
-We consider the security trust boundary for Syft to be anything that causes problems for the overall system running Syft, or Syft operating in a way that is dangerous to itself, the system, or the operator.
-
-**Examples**
-- Filling up temp space permanently
-- Syft executing arbitrary code when scanning an artifact
-- Syft leaking secrets from the environment or configuration files into logs or SBOMs
-- Syft operating outside of the expected artifact or directory (directory traversal)

Taskfile.yaml

@@ -8,10 +8,7 @@ vars:
   OWNER: anchore
   PROJECT: syft
 
-  # v1: when fixtures were located at test-fixtures dirs
-  # v2: migration to testdata dirs
-  CACHE_REPO: oss-cache
-  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .CACHE_REPO }}/syft-test-fixture-cache:v2
+  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .PROJECT }}/test-fixture-cache:latest
 
   # static file dirs
   TOOL_DIR: .tool
@@ -76,6 +73,7 @@ tasks:
       - task: check-licenses
       - task: lint
       - task: check-json-schema-drift
+      - task: check-capability-drift
       - task: check-binary-fixture-size
 
   test:
@@ -201,7 +199,7 @@ tasks:
   check-binary-fixture-size:
     desc: Ensure that the binary test fixtures are not too large
     cmds:
-      - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/testdata/classifiers/snippets
+      - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/test-fixtures/classifiers/snippets
 
 
   ## Testing tasks #################################
@@ -268,9 +266,9 @@ tasks:
   fingerprints:
     desc: Generate fingerprints for all non-docker test fixture
     silent: true
-    # this will look for `testdata/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
+    # this will look for `test-fixtures/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
     generates:
-      - '**/testdata/**/*.fingerprint'
+      - '**/test-fixtures/**/*.fingerprint'
       - test/install/cache.fingerprint
     cmds:
       - |
@@ -279,7 +277,7 @@ tasks:
         RESET='\033[0m'
 
         echo -e "${YELLOW}creating fingerprint files for non-docker fixtures...${RESET}"
-        for dir in $(find . -type d -name 'testdata'); do
+        for dir in $(find . -type d -name 'test-fixtures'); do
           if [ -f "$dir/Makefile" ]; then
             # for debugging...
             #echo -e "${YELLOW}• calculating fingerprints in $dir... ${RESET}"
@@ -372,7 +370,7 @@ tasks:
   build-fixtures:
     desc: Generate all non-docker test fixtures
     silent: true
-    # this will look for `testdata/Makefile` and invoke the `fixtures` target to generate any and all test fixtures
+    # this will look for `test-fixtures/Makefile` and invoke the `fixtures` target to generate any and all test fixtures
     cmds:
       - |
         # we want to stop on the first build error
@@ -383,7 +381,7 @@ tasks:
         RESET='\033[0m'
 
         # Use a for loop with command substitution to avoid subshell issues
-        for dir in $(find . -type d -name 'testdata'); do
+        for dir in $(find . -type d -name 'test-fixtures'); do
           if [ -f "$dir/Makefile" ]; then
             echo -e "${YELLOW}${BOLD}generating fixtures in $dir${RESET}"
             make -C "$dir" fixtures
@@ -425,7 +423,7 @@ tasks:
       done
       oras_command+=" {{ .CACHE_PATHS_FILE }}"
 
-      oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CACHE_REPO }}"
+      oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }}"
       oras_command+=" --annotation fingerprint=$(cat {{ .CACHE_PATHS_FILE }} | {{ .YQ }} -r '.digest')"
 
       echo "Executing: $oras_command"
@@ -437,7 +435,7 @@ tasks:
       - "echo 'Docker daemon cache:'"
       - "docker images --format '{{`{{.ID}}`}} {{`{{.Repository}}`}}:{{`{{.Tag}}`}}' | grep stereoscope-fixture- | sort"
       - "echo '\nTar cache:'"
-      - 'find . -type f -wholename "**/testdata/cache/stereoscope-fixture-*.tar" | sort'
+      - 'find . -type f -wholename "**/test-fixtures/cache/stereoscope-fixture-*.tar" | sort'
 
   check-docker-cache:
     desc: Ensure docker caches aren't using too much disk space
@@ -471,7 +469,7 @@ tasks:
       - "cd test/install && make ci-test-mac"
 
   generate-compare-file:
-    cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/testdata/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
+    cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/test-fixtures/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
 
   compare-mac:
     deps: [tmpdir]
@@ -539,16 +537,11 @@ tasks:
     deps:
       - tmpdir
       - fixtures
-    vars:
-      # set REFRESH=true to run package tests first and refresh test observations (default: true)
-      REFRESH: '{{ .REFRESH | default "true" }}'
     cmds:
       # remove all test observations prior to regenerating
       - task: clean-test-observations
-        if: '{{ eq .REFRESH "true" }}'
       # this is required to update test observations; such evidence is used to update the packages/*.yaml
-      - cmd: "go test ./syft/pkg/... -count=1"
-        if: '{{ eq .REFRESH "true" }}'
+      - "go test ./syft/pkg/... -count=1"
       - "go generate ./internal/capabilities/..."
       - "gofmt -s -w ./internal/capabilities"
       # now that we have the latest capabilities, run completeness tests to ensure this is self-consistent
@@ -646,15 +639,6 @@ tasks:
 
   ## Cleanup targets #################################
 
-  clean:
-    desc: Remove all cache files and old builds
-    cmds:
-      - task: clean-snapshot
-      - task: clean-cache
-      - task: clean-test-observations
-      - task: clean-docker-cache
-      - task: clean-oras-cache
-
   clean-snapshot:
     desc: Remove any snapshot builds
     cmds:
@@ -664,7 +648,7 @@ tasks:
   clean-docker-cache:
     desc: Remove all docker cache tars and images from the daemon
     cmds:
-      - find . -type d -wholename "**/testdata/cache" | xargs rm -rf
+      - find . -type d -wholename "**/test-fixtures/cache" | xargs rm -rf
       - docker images --format '{{`{{.ID}}`}} {{`{{.Repository}}`}}' | grep stereoscope-fixture- | awk '{print $1}' | uniq | xargs -r docker rmi --force
 
   clean-oras-cache:
@@ -681,7 +665,7 @@ tasks:
         RESET='\033[0m'
 
         # Use a for loop with command substitution to avoid subshell issues
-        for dir in $(find . -type d -name 'testdata'); do
+        for dir in $(find . -type d -name 'test-fixtures'); do
         if [ -f "$dir/Makefile" ]; then
           echo -e "${YELLOW}${BOLD}deleting ephemeral test fixtures in $dir${RESET}"
           (make -C "$dir" clean)
@@ -691,6 +675,6 @@ tasks:
       - rm -f {{ .LAST_CACHE_PULL_FILE }} {{ .CACHE_PATHS_FILE }}
 
   clean-test-observations:
-    desc: Remove all test observations (i.e. testdata/test-observations.json)
+    desc: Remove all test observations (i.e. test-fixtures/test-observations.json)
     cmds:
-      - find . -type f -wholename "**/testdata/test-observations.json" | xargs rm -f
+      - find . -type f -wholename "**/test-fixtures/test-observations.json" | xargs rm -f

cmd/syft/cli/ui/handle_attestation.go

@@ -219,7 +219,7 @@ func (l attestLogFrame) View() string {
 	sb := strings.Builder{}
 
 	for _, line := range l.lines {
-		fmt.Fprintf(&sb, "     %s %s\n", l.borderStype.Render("░░"), line)
+		sb.WriteString(fmt.Sprintf("     %s %s\n", l.borderStype.Render("░░"), line))
 	}
 
 	return sb.String()

cmd/syft/internal/clio_setup_config.go

@@ -49,7 +49,7 @@ func AppClioSetupConfig(id clio.Identification, out io.Writer) *clio.SetupConfig
 			},
 		).
 		WithPostRuns(func(_ *clio.State, _ error) {
-			stereoscope.Cleanup() //nolint:staticcheck // we don't have access to the image object here
+			stereoscope.Cleanup()
 		})
 	return clioCfg
 }

cmd/syft/internal/commands/scan_test.go

@@ -19,30 +19,30 @@ func Test_scanOptions_validateLegacyOptionsNotUsed(t *testing.T) {
 		},
 		{
 			name: "config file with no legacy options",
-			cfg:  "testdata/scan-configs/no-legacy-options.yaml",
+			cfg:  "test-fixtures/scan-configs/no-legacy-options.yaml",
 		},
 		{
 			name:    "config file with default image pull source legacy option",
-			cfg:     "testdata/scan-configs/with-default-pull-source.yaml",
+			cfg:     "test-fixtures/scan-configs/with-default-pull-source.yaml",
 			wantErr: assertErrorContains("source.image.default-pull-source"),
 		},
 		{
 			name:    "config file with exclude-binary-overlap-by-ownership legacy option",
-			cfg:     "testdata/scan-configs/with-exclude-binary-overlap-by-ownership.yaml",
+			cfg:     "test-fixtures/scan-configs/with-exclude-binary-overlap-by-ownership.yaml",
 			wantErr: assertErrorContains("package.exclude-binary-overlap-by-ownership"),
 		},
 		{
 			name:    "config file with file string legacy option",
-			cfg:     "testdata/scan-configs/with-file-string.yaml",
+			cfg:     "test-fixtures/scan-configs/with-file-string.yaml",
 			wantErr: assertErrorContains("outputs"),
 		},
 		{
 			name: "config file with file section",
-			cfg:  "testdata/scan-configs/with-file-section.yaml",
+			cfg:  "test-fixtures/scan-configs/with-file-section.yaml",
 		},
 		{
 			name:    "config file with base-path legacy option",
-			cfg:     "testdata/scan-configs/with-base-path.yaml",
+			cfg:     "test-fixtures/scan-configs/with-base-path.yaml",
 			wantErr: assertErrorContains("source.base-path"),
 		},
 	}

cmd/syft/internal/commands/update.go

@@ -107,7 +107,7 @@ func fetchLatestApplicationVersion(id clio.Identification) (*hashiVersion.Versio
 		return nil, fmt.Errorf("HTTP %d on fetching latest version: %s", resp.StatusCode, resp.Status)
 	}
 
-	versionBytes, err := io.ReadAll(io.LimitReader(resp.Body, 500))
+	versionBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read latest version: %w", err)
 	}

cmd/syft/internal/options/writer.go

@@ -122,7 +122,7 @@ func formatVersionOptions(nameVersionPairs []string) string {
 	for _, name := range sortedAvailableFormats {
 		s.WriteString("\n")
 
-		fmt.Fprintf(&s, "   - %s", name)
+		s.WriteString(fmt.Sprintf("   - %s", name))
 
 		if len(availableVersions[name]) > 0 {
 			s.WriteString(" @ ")

cmd/syft/internal/test/integration/catalog_packages_test.go

@@ -125,7 +125,7 @@ func TestPkgCoverageImage(t *testing.T) {
 }
 
 func TestPkgCoverageDirectory(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "testdata/image-pkg-coverage")
+	sbom, _ := catalogDirectory(t, "test-fixtures/image-pkg-coverage")
 
 	observedLanguages := strset.New()
 	definedLanguages := strset.New()
@@ -261,7 +261,7 @@ func TestPkgCoverageImage_HasEvidence(t *testing.T) {
 }
 
 func TestPkgCoverageDirectory_HasEvidence(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "testdata/image-pkg-coverage")
+	sbom, _ := catalogDirectory(t, "test-fixtures/image-pkg-coverage")
 
 	var cases []testCase
 	cases = append(cases, commonTestCases...)

cmd/syft/internal/test/integration/files_test.go

@@ -22,7 +22,7 @@ import (
 func TestFileCataloging_Default(t *testing.T) {
 	cfg := options.DefaultCatalog().ToSBOMConfig(clio.Identification{})
 	cfg = cfg.WithFilesConfig(filecataloging.DefaultConfig())
-	sbom, _ := catalogDirectoryWithConfig(t, "testdata/files", cfg)
+	sbom, _ := catalogDirectoryWithConfig(t, "test-fixtures/files", cfg)
 
 	var metadata map[file.Coordinates]file.Metadata
 
@@ -48,13 +48,13 @@ func TestFileCataloging_AllFiles(t *testing.T) {
 			SkipFilesAboveSize: 30,
 		},
 	})
-	sbom, _ := catalogDirectoryWithConfig(t, "testdata/files", cfg)
+	sbom, _ := catalogDirectoryWithConfig(t, "test-fixtures/files", cfg)
 
 	pwd, err := os.Getwd()
 	require.NoError(t, err)
 
 	testPath := func(path string) string {
-		return filepath.Join(pwd, "testdata/files", path)
+		return filepath.Join(pwd, "test-fixtures/files", path)
 	}
 
 	metadata := map[file.Coordinates]file.Metadata{

cmd/syft/internal/test/integration/node_packages_test.go

@@ -11,7 +11,7 @@ import (
 )
 
 func TestNpmPackageLockDirectory(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "testdata/npm-lock")
+	sbom, _ := catalogDirectory(t, "test-fixtures/npm-lock")
 
 	foundPackages := strset.New()
 
@@ -32,7 +32,7 @@ func TestNpmPackageLockDirectory(t *testing.T) {
 }
 
 func TestYarnPackageLockDirectory(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "testdata/yarn-lock")
+	sbom, _ := catalogDirectory(t, "test-fixtures/yarn-lock")
 
 	foundPackages := strset.New()
 	// merge-objects and should-type are devDependencies in package.json and are excluded by default

cmd/syft/internal/test/integration/package_binary_elf_relationships_test.go

@@ -26,7 +26,7 @@ func TestBinaryElfRelationships(t *testing.T) {
 	}
 
 	// run the test...
-	sbom, _ := catalogFixtureImage(t, "elf-testdata", source.SquashedScope)
+	sbom, _ := catalogFixtureImage(t, "elf-test-fixtures", source.SquashedScope)
 
 	// get a mapping of package names to their IDs
 	nameToId := map[string]artifact.ID{}

cmd/syft/internal/test/integration/package_cataloger_convention_test.go

@@ -278,7 +278,7 @@ func packageCatalogerExports(t *testing.T) map[string]exportTokenSet {
 		if info.IsDir() ||
 			!strings.HasSuffix(info.Name(), ".go") ||
 			strings.HasSuffix(info.Name(), "_test.go") ||
-			strings.Contains(path, "testdata") ||
+			strings.Contains(path, "test-fixtures") ||
 			strings.Contains(path, "internal") {
 			return nil
 		}

cmd/syft/internal/test/integration/test-fixtures/.gitignore

@@ -1,5 +1,5 @@
 # we should strive to not commit blobs to the repo and strive to keep the build process of how blobs are acquired in-repo.
-# this blob is generated from syft/syft/catalogers/java/testdata/java-builds , however, preserving the build process
+# this blob is generated from syft/syft/catalogers/java/test-fixtures/java-builds , however, preserving the build process
 # twice in the repo seems redundant (even via symlink). Given that the fixture is a few kilobytes in size, the build process is already
 # captured, and integration tests should only be testing if jars can be discovered (not necessarily depth in java detection
 # functionality), committing it seems like an acceptable exception.

cmd/syft/internal/test/integration/test-fixtures/elf-test-fixtures

@@ -0,0 +1 @@
+../../../../../../syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures

cmd/syft/internal/test/integration/test-fixtures/image-pkg-coverage/pkgs/java/generate-fixtures.md

@@ -0,0 +1 @@
+See the syft/cataloger/java/test-fixtures/java-builds dir to generate test fixtures and copy to here manually.