2026-04-03 13:20:41 +02:00
27 changed files with 443 additions and 290 deletions
--- a/.binny.yaml
+++ b/.binny.yaml
@ -1,13 +1,8 @@
 # only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
 cooldown: 7d
 tools:
  ## internal tools ############################################################################
  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
  - name: binny
    version:
-      want: v0.13.0
+      want: v0.12.0
    method: github-release
    with:
      repo: anchore/binny
@ -15,7 +10,7 @@ tools:
  # used to produce SBOMs during release
  - name: syft
    version:
-      want: v1.42.3
+      want: latest
    method: github-release
    with:
      repo: anchore/syft
@ -28,20 +23,10 @@ tools:
    with:
      repo: anchore/quill
  # used at release to generate the changelog
  - name: chronicle
    version:
      want: v0.8.0
    method: github-release
    with:
      repo: anchore/chronicle
  ## external tools ############################################################################
  # used for linting
  - name: golangci-lint
    version:
-      want: v2.11.4
+      want: v2.11.3
    method: github-release
    with:
      repo: golangci/golangci-lint
@ -73,7 +58,7 @@ tools:
  # used to release all artifacts
  - name: goreleaser
    version:
-      want: v2.15.2
+      want: v2.14.3
    method: github-release
    with:
      repo: goreleaser/goreleaser
@ -86,6 +71,14 @@ tools:
    with:
      repo: rinchsan/gosimports
  # used at release to generate the changelog
  - name: chronicle
    version:
      want: v0.8.0
    method: github-release
    with:
      repo: anchore/chronicle
  # used during static analysis for license compliance
  - name: bouncer
    version:
@ -105,7 +98,7 @@ tools:
  # used for triggering a release
  - name: gh
    version:
-      want: v2.89.0
+      want: v2.88.1
    method: github-release
    with:
      repo: cli/cli
@ -121,7 +114,7 @@ tools:
  # used to upload test fixture cache
  - name: yq
    version:
-      want: v4.52.5
+      want: v4.52.4
    method: github-release
    with:
      repo: mikefarah/yq
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,11 +23,6 @@ updates:
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
    ignore:
      - dependency-name: "github.com/aquasecurity/go-pep440-version"
      - dependency-name: "github.com/aquasecurity/go-version"
      - dependency-name: "github.com/knqyf263/go-apk-version"
      - dependency-name: "github.com/knqyf263/go-deb-version"
    groups:
      go-minor-patch:
        applies-to: version-updates  # security updates get individual PRs
@ -40,7 +35,7 @@ updates:
  - package-ecosystem: "github-actions"
    directories:
      - "/"
-      - "/.github/actions/*"
+      - "/.github/actions/bootstrap"
    cooldown:
      default-days: 7
    schedule:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,76 @@
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 name: "CodeQL Security Scan"
 on:
  push:
    branches:
      # only run when there are pushes to the main branch (not on PRs)
      - main
  schedule:
    - cron: '0 0 * * 3'
 permissions:
  contents: read
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-22.04-4core-16gb
    if: github.repository == 'anchore/syft' # only run for main repo
    permissions:
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        # Override automatic language detection by changing the below list
        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
        language: ['go', 'python']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
      with:
        persist-credentials: false
    - name: Install Go
      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
      with:
        go-version-file: go.mod
        check-latest: true
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file. 
        # Prefix the list here with "+" to use these queries and those in the config file.
        # queries: ./path/to/local/query, your-org/your-repo/queries@main
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language
    #- run: |
    #   make bootstrap
    #   make release
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@ -1,81 +0,0 @@
 # CodeQL scans for security vulnerabilities and coding errors across all
 # languages in this repo. Results appear in the "Security" tab under
 # "Code scanning alerts" and are enforced by branch protection rules.
 name: "CodeQL"
 on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  # Weekly scheduled scan catches newly disclosed vulnerabilities in
  # existing code, not just changes introduced by PRs.
  schedule:
    - cron: '38 11 * * 3'
 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
      # Required to upload SARIF results to the "Security" tab.
      security-events: write
      # Required to fetch internal or private CodeQL packs.
      packages: read
      # Only required for workflows in private repositories.
      actions: read
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          # GitHub Actions workflow linting — no build needed.
          - language: actions
            build-mode: none
          # Go uses "manual" build mode so we control exactly what gets
          # compiled. The default "autobuild" finds the Makefile and runs
          # the full CI pipeline (lint, test, snapshot release, etc.),
          # which is far more work than CodeQL needs. All it requires is
          # compiled Go source so it can build a type-resolved code graph
          # for analysis.
          - language: go
            build-mode: manual
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # Pin the Go toolchain to whatever go.mod declares so CodeQL
      # analyzes with the same version the project actually uses.
      # Only runs for the Go matrix entry.
      - name: Setup Go
        if: matrix.language == 'go'
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
      - name: Initialize CodeQL
        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
      # Minimal build for Go: compile all packages so CodeQL gets a full
      # type-resolved code graph for analysis.
      - name: Build (Go)
        if: matrix.build-mode == 'manual'
        shell: bash
        run: go build ./...
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          # The category tag lets GitHub associate SARIF results with the
          # correct language when branch protection checks for required
          # code scanning results.
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/detect-schema-changes.yaml
+++ b/.github/workflows/detect-schema-changes.yaml
@ -1,5 +1,3 @@
 # Note: this workflow has been disabled manually in the UI and will be replaced in short order
 name: "Detect schema changes"
 on:
@ -39,8 +37,6 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
      - run: python .github/scripts/labeler.py
        env:
@ -50,7 +46,7 @@ jobs:
      - name: Delete existing comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
        with:
          header: ${{ env.COMMENT_HEADER }}
          hide: true
@ -58,7 +54,7 @@ jobs:
      - name: Add comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
        with:
          header: ${{ env.COMMENT_HEADER }}
          path: ${{ env.CI_COMMENT_FILE }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -193,7 +193,7 @@ jobs:
          artifact-name: sbom.spdx.json
      - name: Notify Slack of new release
-        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
        continue-on-error: true
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
--- a/.github/workflows/test-fixture-cache-publish.yaml
+++ b/.github/workflows/test-fixture-cache-publish.yaml
@ -0,0 +1,48 @@
 name: "Test fixture cache: publish"
 on:
  workflow_dispatch:
  schedule:
    # run nightly at 4AM UTC
    - cron: "0 4 * * *"
 permissions:
  contents: read
 jobs:
  Publish:
    name: "Publish test fixture image cache"
    # runs-on.com: general purpose instances for building test fixture cache
    #   spot disabled: can run up to an hour, avoid interruptions
    #   s3-cache: faster actions cache
    #   family: note that m*d instances have local nvme storage which is beneficial for building large test fixture images
    runs-on: "runs-on=${{ github.run_id }}/cpu=8+16/ram=32+64/family=m5d+m5ad+m5dn+m6gd+m6id+m6idn+m7gd+m8gd/spot=false/extras=s3-cache"
    if: github.repository == 'anchore/syft' # only run for main repo
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
        with:
          # we want to rebuild the cache with no previous state
          download-test-fixture-cache: false
      - name: Run all tests
        run: |
          make test
        env:
          # we want to rebuild the cache with no previous state
          DOWNLOAD_TEST_FIXTURE_CACHE: "false"
      - name: Login to GitHub Container Registry (ORAS)
        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
        env:
          ACTOR: ${{ github.actor }}
      - name: Publish test fixture cache
        run: make upload-test-fixture-cache
--- a/.github/workflows/update-anchore-dependencies.yml
+++ b/.github/workflows/update-anchore-dependencies.yml
@ -0,0 +1,51 @@
 name: PR to update Anchore dependencies
 on:
  workflow_dispatch:
    inputs:
      repos:
        description: "List of dependencies to update"
        required: true
        type: string
 permissions:
  contents: read
 jobs:
  update:
    runs-on: ubuntu-latest
    if: github.repository_owner == 'anchore' # only run for main repo (not forks)
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
        with:
          tools: false
          bootstrap-apt-packages: ""
      - name: Update dependencies
        id: update
        uses: anchore/workflows/.github/actions/update-go-dependencies@main
        with:
          repos: ${{ github.event.inputs.repos }}
      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
        id: generate-token
        with:
          app-id: ${{ secrets.TOKEN_APP_ID }}
          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
        with:
          signoff: true
          delete-branch: true
          draft: ${{ steps.update.outputs.draft }}
          # do not change this branch, as other workflows depend on it
          branch: auto/integration
          labels: dependencies,pre-release
          commit-message: "chore(deps): update anchore dependencies"
          title: "chore(deps): update anchore dependencies"
          body: ${{ steps.update.outputs.summary }}
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/update-bootstrap-tools.yml
+++ b/.github/workflows/update-bootstrap-tools.yml
@ -0,0 +1,67 @@
 name: PR for latest versions of tools
 on:
  schedule:
    - cron: "0 8 * * *" # 3 AM EST
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  update-bootstrap-tools:
    runs-on: ubuntu-latest
    if: github.repository == 'anchore/syft' # only run for main repo
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
        with:
          bootstrap-apt-packages: ""
          go-dependencies: false
      - name: "Update tool versions"
        id: latest-versions
        run: |
          make update-tools
          make list-tools
          export NO_COLOR=1
          delimiter="$(openssl rand -hex 8)"
          {
            echo "status<<${delimiter}"
            make list-tool-updates
            echo "${delimiter}"
          } >> $GITHUB_OUTPUT
          {
            echo "### Tool version status"
            echo "\`\`\`"
            make list-tool-updates
            echo "\`\`\`"
          } >> $GITHUB_STEP_SUMMARY
      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
        id: generate-token
        with:
          app-id: ${{ secrets.TOKEN_APP_ID }}
          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
        with:
          signoff: true
          delete-branch: true
          branch: auto/latest-tools
          labels: dependencies
          commit-message: 'chore(deps): update tools to latest versions'
          title: 'chore(deps): update tools to latest versions'
          body: |
            ```
            ${{ steps.latest-versions.outputs.status }}
            ```
            This is an auto-generated pull request to update all of the tools to the latest versions.
          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/update-cpe-dictionary-index.yml
+++ b/.github/workflows/update-cpe-dictionary-index.yml
@ -0,0 +1,84 @@
 name: PR to update CPE dictionary index
 on:
  schedule:
    - cron: "0 1 * * 1" # every monday at 1 AM
  workflow_dispatch:
 permissions:
  contents: read
 env:
  SLACK_NOTIFICATIONS: true
 jobs:
  upgrade-cpe-dictionary-index:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    if: github.repository == 'anchore/syft' # only run for main repo
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
        id: bootstrap
      - name: Login to GitHub Container Registry
        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
        env:
          ACTOR: ${{ github.actor }}
      - name: Pull CPE cache from registry
        run: make generate:cpe-index:cache:pull
      - name: Update CPE cache from NVD API
        run: make generate:cpe-index:cache:update
        env:
          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
      - name: Generate CPE dictionary index
        run: make generate:cpe-index:build
      - name: Push updated CPE cache to registry
        run: make generate:cpe-index:cache:push
      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
        id: generate-token
        with:
          app-id: ${{ secrets.TOKEN_APP_ID }}
          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
        with:
          signoff: true
          delete-branch: true
          branch: auto/latest-cpe-dictionary-index
          labels: dependencies
          commit-message: "chore(deps): update CPE dictionary index"
          title: "chore(deps): update CPE dictionary index"
          body: |
            Update CPE dictionary index based on the latest available CPE dictionary
          token: ${{ steps.generate-token.outputs.token }}
      - name: Notify Slack on failure
        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "Syft CPE dictionary index update failed"
            blocks:
              - type: section
                text:
                  type: mrkdwn
                  text: |
                    *Syft CPE dictionary index update failed*
                    • Workflow: `${{ github.workflow }}`
                    • Event: `${{ github.event_name }}`
                    • Job Status: `${{ job.status }}`
                    • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>
        if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}
--- a/.github/workflows/update-spdx-license-list.yaml
+++ b/.github/workflows/update-spdx-license-list.yaml
@ -0,0 +1,64 @@
 name: PR to update SPDX license list
 on:
  schedule:
    - cron: "0 6 * * 1" # every monday at 6 AM UTC
  workflow_dispatch:
 permissions:
  contents: read
 env:
  SLACK_NOTIFICATIONS: true
 jobs:
  upgrade-spdx-license-list:
    runs-on: ubuntu-latest
    if: github.repository == 'anchore/syft' # only run for main repo
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
      - run: |
          make generate-license-list
      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
        id: generate-token
        with:
          app_id: ${{ secrets.TOKEN_APP_ID }}
          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
        with:
          signoff: true
          delete-branch: true
          branch: auto/latest-spdx-license-list
          labels: dependencies
          commit-message: "chore(deps): update SPDX license list"
          title: "chore(deps): update SPDX license list"
          body: |
            Update SPDX license list based on the latest available list from spdx.org
          token: ${{ steps.generate-token.outputs.token }}
      - name: Notify Slack on failure
        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "Syft SPDX license list update failed"
            blocks:
              - type: section
                text:
                  type: mrkdwn
                  text: |
                    *Syft SPDX license list update failed*
                    • Workflow: `${{ github.workflow }}`
                    • Event: `${{ github.event_name }}`
                    • Job Status: `${{ job.status }}`
                    • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>
        if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}
--- a/.github/workflows/validate-github-actions.yaml
+++ b/.github/workflows/validate-github-actions.yaml
@ -1,8 +1,10 @@
 name: "Validate GitHub Actions"
 on:
  workflow_dispatch:
  pull_request:
    paths:
      - '.github/workflows/**'
      - '.github/actions/**'
  push:
    branches:
      - main
@ -26,8 +28,9 @@ jobs:
          persist-credentials: false
      - name: "Run zizmor"
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
        with:
-          # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
+          config: .github/zizmor.yml
-          advanced-security: true
+          # Disable SARIF upload so the step is a simple pass/fail gate
          advanced-security: false
          inputs: .github
--- a/SECURITY.md
+++ b/SECURITY.md
@ -14,23 +14,3 @@ affected versions, and, if known, mitigations for the issue.
 All support will be made on a best effort basis, so please indicate the "urgency level" of the vulnerability as Critical, High, Medium or Low.
 For more details, see our [security policy documentation](https://oss.anchore.com/docs/contributing/security/).
 ## Trust Boundary
 Syft is a tool to scan content and product an SBOM. Syft is not a tool designed to scan malicious content. Detecting and properly reporting on purposely malicious artifacts is outside the scope of Syft's expected operating environment.
 There are many possible ways for malicious content to cause Syft to become confused or fail to include results in an SBOM. We do not consider this to be a security vulnerability.
 **Examples**
 - Removing or altering a package lock file
 - Removing or altering an RPM or DEB database
 - A malicious archive that Syft will skip but the runtime may not
 - Self modifying systems that change state when running
 We consider the security trust boundary for Syft to be anything that causes problems for the overall system running Syft, or Syft operating in a way that is dangerous to itself, the system, or the operator.
 **Examples**
 - Filling up temp space permanently
 - Syft executing arbitrary code when scanning an artifact
 - Syft leaking secrets from the environment or configuration files into logs or SBOMs
 - Syft operating outside of the expected artifact or directory (directory traversal)
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@ -10,8 +10,7 @@ vars:
  # v1: when fixtures were located at test-fixtures dirs
  # v2: migration to testdata dirs
-  CACHE_REPO: oss-cache
+  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .PROJECT }}/test-fixture-cache:v2
  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .CACHE_REPO }}/syft-test-fixture-cache:v2
  # static file dirs
  TOOL_DIR: .tool
@ -425,7 +424,7 @@ tasks:
      done
      oras_command+=" {{ .CACHE_PATHS_FILE }}"
-      oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CACHE_REPO }}"
+      oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }}"
      oras_command+=" --annotation fingerprint=$(cat {{ .CACHE_PATHS_FILE }} | {{ .YQ }} -r '.digest')"
      echo "Executing: $oras_command"
--- a/go.mod
+++ b/go.mod
@ -37,7 +37,7 @@ require (
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5
 	github.com/github/go-spdx/v2 v2.4.0
-	github.com/gkampitakis/go-snaps v0.5.21
+	github.com/gkampitakis/go-snaps v0.5.20
 	github.com/go-git/go-billy/v5 v5.8.0
 	github.com/go-git/go-git/v5 v5.17.0
 	github.com/go-test/deep v1.1.1
@ -88,7 +88,7 @@ require (
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/mod v0.34.0
 	golang.org/x/net v0.52.0
-	modernc.org/sqlite v1.46.2
+	modernc.org/sqlite v1.46.1
 )
 require (
@ -263,7 +263,7 @@ require (
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/libc v1.70.0 // indirect
+	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -414,8 +414,8 @@ github.com/github/go-spdx/v2 v2.4.0 h1:+4IwVwJJbm3rzvrQ6P1nI9BDMcy3la4RchRy5uehV
 github.com/github/go-spdx/v2 v2.4.0/go.mod h1:/5rwgS0txhGtRdUZwc02bTglzg6HK3FfuEbECKlK2Sg=
 github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
 github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
-github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y=
+github.com/gkampitakis/go-snaps v0.5.20 h1:FGKonEeQPJ12t7RQj6cTPa881fl5c8HYarMLv5vP7sg=
-github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
+github.com/gkampitakis/go-snaps v0.5.20/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
 github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
 github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@ -1514,18 +1514,18 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
 modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
+modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
-modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
-modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
-modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
-modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@ -1534,8 +1534,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.46.2 h1:gkXQ6R0+AjxFC/fTDaeIVLbNLNrRoOK7YYVz5BKhTcE=
+modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
-modernc.org/sqlite v1.46.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go
+++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go
@ -61,28 +61,6 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("arangodb-binary"),
 			},
 		},
 		{
 			logicalFixture: "arangodb/3.12.5/linux-amd64",
 			expected: pkg.Package{
 				Name:      "arangodb",
 				Version:   "3.12.5",
 				Type:      "binary",
 				PURL:      "pkg:generic/arangodb@3.12.5",
 				Locations: locations("arangosh"),
 				Metadata:  metadata("arangodb-binary"),
 			},
 		},
 		{
 			logicalFixture: "arangodb/3.12.5-2/linux-amd64",
 			expected: pkg.Package{
 				Name:      "arangodb",
 				Version:   "3.12.5-2",
 				Type:      "binary",
 				PURL:      "pkg:generic/arangodb@3.12.5-2",
 				Locations: locations("arangosh"),
 				Metadata:  metadata("arangodb-binary"),
 			},
 		},
 		{
 			logicalFixture: "postgres/15beta4/linux-amd64",
 			expected: pkg.Package{
@ -749,16 +727,6 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 		{
 			// TODO: find original binary...
 			// note: cannot find the original binary, using a custom snippet based on the original snippet in the repo
 			logicalFixture: "go-version-hint/1.15-dev/any",
 			expected: pkg.Package{
 				Name:      "go",
 				Version:   "1.15",
 				PURL:      "pkg:generic/go@1.15",
 				Locations: locations("bin/go", "VERSION"),
 				Metadata:  metadata("go-binary"),
 			},
 		},
 		{
 			logicalFixture: "go-version-hint/1.15/any",
 			expected: pkg.Package{
 				Name:      "go",
--- a/syft/pkg/cataloger/binary/classifiers.go
+++ b/syft/pkg/cataloger/binary/classifiers.go
@ -76,10 +76,10 @@ func DefaultClassifiers() []binutils.Classifier {
 					`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+)?)\x00`),
 				binutils.SupportingEvidenceMatcher("VERSION*",
 					m.FileContentsVersionMatcher(
-						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)`)),
+						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)\s`)),
 				binutils.SupportingEvidenceMatcher("../VERSION*",
 					m.FileContentsVersionMatcher(
-						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)`)),
+						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)\s`)),
 			),
 			Package: "go",
 			PURL:    mustPURL("pkg:generic/go@version"),
@ -232,7 +232,7 @@ func DefaultClassifiers() []binutils.Classifier {
 			Class:    "arangodb-binary",
 			FileGlob: "**/arangosh",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)\x00*(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?)\s(enterprise\s)?\[linux\]`),
+				`(?m)\x00*(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?)\s\[linux\]`),
 			Package: "arangodb",
 			PURL:    mustPURL("pkg:generic/arangodb@version"),
 			CPEs:    singleCPE("cpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
--- a/syft/pkg/cataloger/binary/testdata/capture-snippet.sh
+++ b/syft/pkg/cataloger/binary/testdata/capture-snippet.sh
@ -151,4 +151,4 @@ while $CONTINUE_LOOP; do
 done
-go run ../internal/manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION"
+go run ./manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION"
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5-2/linux-amd64/arangosh
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5-2/linux-amd64/arangosh
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5/linux-amd64/arangosh
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5/linux-amd64/arangosh
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION
@ -1 +0,0 @@
 go1.15 Fri 2003
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go
@ -1 +0,0 @@
 no version in this binary
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION
@ -1 +1 @@
-go1.15
+go1.15 Fri 2003
--- a/syft/pkg/cataloger/binary/testdata/config.yaml
+++ b/syft/pkg/cataloger/binary/testdata/config.yaml
@ -458,20 +458,6 @@ from-images:
        platform: linux/amd64
    paths:
      - /usr/bin/arangosh
  - name: arangodb
    version: 3.12.5
    images:
      - ref: arangodb:3.12.5@sha256:1f9278fe17b200cf3aea2c7bd7fd571221b5b41a49b835a397c47eb970c952d6
        platform: linux/amd64
    paths:
      - /usr/bin/arangosh
  - name: arangodb
    version: 3.12.5-2
    images:
      - ref: arangodb:3.12.5.2@sha256:5b0d1d2911ea864ea61d7e2357789004fe912606f5980cf481739601d7cb17a1
        platform: linux/amd64
    paths:
      - /usr/bin/arangosh
  - version: 15.1
    images:
      - ref: postgres:15.1@sha256:b4140dd3a62f364f16a82c1bd88d28b9887ecb47f07dbe2941237d073574d428
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
@ -22,9 +22,6 @@
      "github.com/apptainer/apptainer": [
        "cpe:2.3:a:lfprojects:apptainer:*:*:*:*:*:go:*:*"
      ],
      "github.com/aquasecurity/trivy/pkg/types": [
        "cpe:2.3:a:aquasec:trivy:*:*:*:*:*:go:*:*"
      ],
      "github.com/argoproj/argo-workflows/v3": [
        "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*"
      ],
@ -55,12 +52,6 @@
      "github.com/ecnepsnai/web": [
        "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*"
      ],
      "github.com/free5gc/amf": [
        "cpe:2.3:a:free5gc:amf:*:*:*:*:*:go:*:*"
      ],
      "github.com/free5gc/go-upf": [
        "cpe:2.3:a:free5gc:go-upf:*:*:*:*:*:go:*:*"
      ],
      "github.com/free5gc/smf": [
        "cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*"
      ],
@ -1274,9 +1265,6 @@
      "literate": [
        "cpe:2.3:a:jenkins:literate:*:*:*:*:*:jenkins:*:*"
      ],
      "loadninja": [
        "cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*"
      ],
      "lockable-resources": [
        "cpe:2.3:a:jenkins:lockable_resources:*:*:*:*:*:jenkins:*:*"
      ],
@ -2326,9 +2314,6 @@
      "@ckeditor/ckeditor5-widget": [
        "cpe:2.3:a:ckeditor:ckeditor5-widget:*:*:*:*:*:node.js:*:*"
      ],
      "@coding-solo/godot-mcp": [
        "cpe:2.3:a:coding-solo:godot_mcp:*:*:*:*:*:*:*:*"
      ],
      "@cookiex/deep": [
        "cpe:2.3:a:cookiex-deep_project:cookiex-deep:*:*:*:*:*:node.js:*:*"
      ],
@ -2492,12 +2477,6 @@
      "@thi.ng/egf": [
        "cpe:2.3:a:\\@thi.ng\\/egf_project:\\@thi.ng\\/egf:*:*:*:*:*:node.js:*:*"
      ],
      "@tinacms/cli": [
        "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*"
      ],
      "@tinacms/graphql": [
        "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*"
      ],
      "@tiptap/extension-link": [
        "cpe:2.3:a:tiptap:tiptap\\/extension-link:*:*:*:*:*:node.js:*:*"
      ],
@ -3097,9 +3076,6 @@
      "defaults-deep": [
        "cpe:2.3:a:defaults-deep_project:defaults-deep:*:*:*:*:*:node.js:*:*"
      ],
      "defuddle": [
        "cpe:2.3:a:kepano:defuddle:*:*:*:*:*:node.js:*:*"
      ],
      "desafio": [
        "cpe:2.3:a:desafio_project:desafio:*:*:*:*:*:node.js:*:*"
      ],
@ -3303,9 +3279,6 @@
      "express-openid-connect": [
        "cpe:2.3:a:auth0:express_openid_connect:*:*:*:*:*:node.js:*:*"
      ],
      "express-rate-limit": [
        "cpe:2.3:a:express-rate-limit:express-rate-limit:*:*:*:*:*:node.js:*:*"
      ],
      "express-restify-mongoose": [
        "cpe:2.3:a:express-restify-mongoose_project:express-restify-mongoose:*:*:*:*:*:node.js:*:*"
      ],
@ -3388,7 +3361,7 @@
        "cpe:2.3:a:fibjs_project:fibjs:*:*:*:*:*:node.js:*:*"
      ],
      "file-type": [
-        "cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*"
+        "cpe:2.3:a:file-type_project:file-type:*:*:*:*:*:node.js:*:*"
      ],
      "file-upload-with-preview": [
        "cpe:2.3:a:johndatserakis:file-upload-with-preview:*:*:*:*:*:node.js:*:*"
@ -3638,9 +3611,6 @@
      "hapi-auth-jwt2": [
        "cpe:2.3:a:hapi-auth-jwt2_project:hapi-auth-jwt2:*:*:*:*:*:node.js:*:*"
      ],
      "happy-dom": [
        "cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:nodejs:*:*"
      ],
      "harp": [
        "cpe:2.3:a:npmjs:harp:*:*:*:*:*:*:*:*"
      ],
@ -4187,9 +4157,6 @@
      "madlib-object-utils": [
        "cpe:2.3:a:springtree:madlib-object-utils:*:*:*:*:*:node.js:*:*"
      ],
      "mailparser": [
        "cpe:2.3:a:nodemailer:mailparser:*:*:*:*:*:node.js:*:*"
      ],
      "makerjs": [
        "cpe:2.3:a:microsoft:maker.js:*:*:*:*:*:node.js:*:*"
      ],
@ -4431,8 +4398,7 @@
        "cpe:2.3:a:mystem3_project:mystem3:*:*:*:*:*:node.js:*:*"
      ],
      "n8n": [
-        "cpe:2.3:a:n8n:n8n:*:*:*:*:community:node.js:*:*",
+        "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*"
        "cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:*"
      ],
      "nanoid": [
        "cpe:2.3:a:nanoid_project:nanoid:*:*:*:*:*:node.js:*:*"
@ -5351,9 +5317,6 @@
      "sly07": [
        "cpe:2.3:a:sly07_project:sly07:*:*:*:*:*:node.js:*:*"
      ],
      "sm-crypto": [
        "cpe:2.3:a:juneandgreen:sm-crypto:*:*:*:*:*:node.js:*:*"
      ],
      "smb": [
        "cpe:2.3:a:smb_project:smb:*:*:*:*:*:node.js:*:*"
      ],
@ -5513,9 +5476,6 @@
      "terminal-kit": [
        "cpe:2.3:a:terminal-kit_project:terminal-kit:*:*:*:*:*:node.js:*:*"
      ],
      "terriajs-server": [
        "cpe:2.3:a:terria:terriajs-server:*:*:*:*:*:node.js:*:*"
      ],
      "terser": [
        "cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*"
      ],
@ -5531,9 +5491,6 @@
      "timespan": [
        "cpe:2.3:a:timespan_project:timespan:*:*:*:*:*:node.js:*:*"
      ],
      "tinacms": [
        "cpe:2.3:a:ssw:tinacms:*:*:*:*:*:node.js:*:*"
      ],
      "tiny-conf": [
        "cpe:2.3:a:tiny-conf_project:tiny-conf:*:*:*:*:*:node.js:*:*"
      ],
@ -5642,9 +5599,6 @@
      "ungit": [
        "cpe:2.3:a:ungit_project:ungit:*:*:*:*:*:node.js:*:*"
      ],
      "unhead": [
        "cpe:2.3:a:unjs:unhead:*:*:*:*:*:node.js:*:*"
      ],
      "unicode": [
        "cpe:2.3:a:unicode_project:unicode:*:*:*:*:*:node.js:*:*"
      ],
@ -6026,9 +5980,6 @@
      "b2sdk": [
        "cpe:2.3:a:backblaze:b2-sdk-python:*:*:*:*:*:*:*:*"
      ],
      "black": [
        "cpe:2.3:a:python:black:*:*:*:*:*:python:*:*"
      ],
      "blackduck": [
        "cpe:2.3:a:synopsys:hub-rest-api-python:*:*:*:*:*:*:*:*"
      ],
@ -6096,9 +6047,6 @@
      "datapizza-ai": [
        "cpe:2.3:a:datapizza:datapizza_ai:*:*:*:*:*:*:*:*"
      ],
      "dbt-common": [
        "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*"
      ],
      "decorator": [
        "cpe:2.3:a:python:decorator:*:*:*:*:*:*:*:*"
      ],
@ -6232,9 +6180,6 @@
      "marshmallow": [
        "cpe:2.3:a:marshmallow_project:marshmallow:*:*:*:*:*:python:*:*"
      ],
      "mcp-memory-service": [
        "cpe:2.3:a:doobidoo:mcp-memory-service:*:*:*:*:*:*:*:*"
      ],
      "mltable": [
        "cpe:2.3:a:microsoft:azure_machine_learning_software_development_kit:*:*:*:*:*:*:*:*"
      ],
@ -6433,9 +6378,6 @@
      "scoptrial": [
        "cpe:2.3:a:scoptrial_project:scoptrial:*:*:*:*:*:pypi:*:*"
      ],
      "semantic-kernel": [
        "cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*"
      ],
      "sentry-sdk": [
        "cpe:2.3:a:sentry:sentry_software_development_kit:*:*:*:*:*:python:*:*"
      ],
@ -6685,9 +6627,6 @@
      "gon": [
        "cpe:2.3:a:gon_project:gon:*:*:*:*:*:ruby:*:*"
      ],
      "graphiti": [
        "cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*"
      ],
      "gyazo": [
        "cpe:2.3:a:gyazo_project:gyazo:*:*:*:*:*:ruby:*:*"
      ],
@ -7069,12 +7008,6 @@
      "aws-lc-fips-sys": [
        "cpe:2.3:a:amazon:aws-lc-fips-sys:*:*:*:*:*:rust:*:*"
      ],
      "aws-lc-rs": [
        "cpe:2.3:a:amazon:aws-lc-rs:*:*:*:*:*:rust:*:*"
      ],
      "aws-lc-sys": [
        "cpe:2.3:a:amazon:aws-lc-sys:*:*:*:*:*:rust:*:*"
      ],
      "axum-core": [
        "cpe:2.3:a:axum-core_project:axum-core:*:*:*:*:*:rust:*:*"
      ],
@ -9253,9 +9186,6 @@
      "bravo-translate": [
        "cpe:2.3:a:guelbetech:bravo_translate:*:*:*:*:*:wordpress:*:*"
      ],
      "bread-butter": [
        "cpe:2.3:a:breadbutter:bread_\\\u0026_butter:*:*:*:*:*:wordpress:*:*"
      ],
      "breadcrumbs-by-menu": [
        "cpe:2.3:a:holest:breadcrumbs_by_menu:*:*:*:*:*:wordpress:*:*"
      ],
@ -10109,9 +10039,6 @@
      "contact-form-7-paypal-add-on": [
        "cpe:2.3:a:wpplugin:paypal_\\\u0026_stripe_add-on:*:*:*:*:*:wordpress:*:*"
      ],
      "contact-form-7-recaptcha": [
        "cpe:2.3:a:iambriansreed:contact_form_7_recaptcha:*:*:*:*:*:wordpress:*:*"
      ],
      "contact-form-7-simple-recaptcha": [
        "cpe:2.3:a:contact_form_7_captcha_project:contact_form_7_captcha:*:*:*:*:*:wordpress:*:*"
      ],
--- a/task.d/generate/cpe-index.yaml
+++ b/task.d/generate/cpe-index.yaml
@ -2,15 +2,14 @@ version: "3"
 vars:
  CPE_CACHE_DIR: "syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/.cpe-cache"
-  CPE_CACHE_REGISTRY: "ghcr.io/anchore/oss-cache/cpe-cache:latest"
+  CPE_CACHE_REGISTRY: "ghcr.io/anchore/syft/cpe-cache:latest"
  CPE_CACHE_REPO: "oss-cache"
  CPE_INDEX_OUTPUT: "syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json"
  CPE_GENERATOR_DIR: "syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator"
 tasks:
  cache:pull:
-    desc: Pull CPE cache from ORAS registry (ghcr.io/anchore/oss-cache/cpe-cache:latest)
+    desc: Pull CPE cache from ORAS registry (ghcr.io/anchore/syft/cpe-cache:latest)
-    deps: [':tools']
+    # deps: [tools]
    cmds:
      - cmd: |
          set -eu
@ -117,7 +116,7 @@ tasks:
          # push compressed files to ORAS (from cache directory, so only basenames are used)
          echo "Pushing compressed files to registry..."
          "$oras_bin" push {{ .CPE_CACHE_REGISTRY }} $compressed_files \
-            --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CPE_CACHE_REPO }} \
+            --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }} \
            --annotation org.opencontainers.image.created=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          # clean up compressed files
`@ -151,4 +151,4 @@ while $CONTINUE_LOOP; do`

	`done`	`done`

	`go run ../internal/manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION"`	`go run ./manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION"`