2026-04-03 13:20:41 +02:00
27 changed files with 443 additions and 290 deletions
--- a/.binny.yaml
+++ b/.binny.yaml
@ -1,13 +1,8 @@
-# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
-cooldown: 7d
-
 tools:
-  ## internal tools ############################################################################
-
  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
  - name: binny
    version:
-      want: v0.13.0
+      want: v0.12.0
    method: github-release
    with:
      repo: anchore/binny
@ -15,7 +10,7 @@ tools:
  # used to produce SBOMs during release
  - name: syft
    version:
-      want: v1.42.3
+      want: latest
    method: github-release
    with:
      repo: anchore/syft
@ -28,20 +23,10 @@ tools:
    with:
      repo: anchore/quill

-  # used at release to generate the changelog
-  - name: chronicle
-    version:
-      want: v0.8.0
-    method: github-release
-    with:
-      repo: anchore/chronicle
-
-  ## external tools ############################################################################
-
  # used for linting
  - name: golangci-lint
    version:
-      want: v2.11.4
+      want: v2.11.3
    method: github-release
    with:
      repo: golangci/golangci-lint
@ -73,7 +58,7 @@ tools:
  # used to release all artifacts
  - name: goreleaser
    version:
-      want: v2.15.2
+      want: v2.14.3
    method: github-release
    with:
      repo: goreleaser/goreleaser
@ -86,6 +71,14 @@ tools:
    with:
      repo: rinchsan/gosimports

+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
  # used during static analysis for license compliance
  - name: bouncer
    version:
@ -105,7 +98,7 @@ tools:
  # used for triggering a release
  - name: gh
    version:
-      want: v2.89.0
+      want: v2.88.1
    method: github-release
    with:
      repo: cli/cli
@ -121,7 +114,7 @@ tools:
  # used to upload test fixture cache
  - name: yq
    version:
-      want: v4.52.5
+      want: v4.52.4
    method: github-release
    with:
      repo: mikefarah/yq
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,11 +23,6 @@ updates:
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
-    ignore:
-      - dependency-name: "github.com/aquasecurity/go-pep440-version"
-      - dependency-name: "github.com/aquasecurity/go-version"
-      - dependency-name: "github.com/knqyf263/go-apk-version"
-      - dependency-name: "github.com/knqyf263/go-deb-version"
    groups:
      go-minor-patch:
        applies-to: version-updates  # security updates get individual PRs
@ -40,7 +35,7 @@ updates:
  - package-ecosystem: "github-actions"
    directories:
      - "/"
-      - "/.github/actions/*"
+      - "/.github/actions/bootstrap"
    cooldown:
      default-days: 7
    schedule:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,76 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL Security Scan"
+
+on:
+  push:
+    branches:
+      # only run when there are pushes to the main branch (not on PRs)
+      - main
+
+  schedule:
+    - cron: '0 0 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04-4core-16gb
+    if: github.repository == 'anchore/syft' # only run for main repo
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['go', 'python']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      with:
+        persist-credentials: false
+
+    - name: Install Go
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
+      with:
+        go-version-file: go.mod
+        check-latest: true
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@ -1,81 +0,0 @@
-# CodeQL scans for security vulnerabilities and coding errors across all
-# languages in this repo. Results appear in the "Security" tab under
-# "Code scanning alerts" and are enforced by branch protection rules.
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-  # Weekly scheduled scan catches newly disclosed vulnerabilities in
-  # existing code, not just changes introduced by PRs.
-  schedule:
-    - cron: '38 11 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
-    permissions:
-      # Required to upload SARIF results to the "Security" tab.
-      security-events: write
-      # Required to fetch internal or private CodeQL packs.
-      packages: read
-      # Only required for workflows in private repositories.
-      actions: read
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # GitHub Actions workflow linting — no build needed.
-          - language: actions
-            build-mode: none
-
-          # Go uses "manual" build mode so we control exactly what gets
-          # compiled. The default "autobuild" finds the Makefile and runs
-          # the full CI pipeline (lint, test, snapshot release, etc.),
-          # which is far more work than CodeQL needs. All it requires is
-          # compiled Go source so it can build a type-resolved code graph
-          # for analysis.
-          - language: go
-            build-mode: manual
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-        with:
-          persist-credentials: false
-
-      # Pin the Go toolchain to whatever go.mod declares so CodeQL
-      # analyzes with the same version the project actually uses.
-      # Only runs for the Go matrix entry.
-      - name: Setup Go
-        if: matrix.language == 'go'
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version-file: go.mod
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-
-      # Minimal build for Go: compile all packages so CodeQL gets a full
-      # type-resolved code graph for analysis.
-      - name: Build (Go)
-        if: matrix.build-mode == 'manual'
-        shell: bash
-        run: go build ./...
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          # The category tag lets GitHub associate SARIF results with the
-          # correct language when branch protection checks for required
-          # code scanning results.
-          category: "/language:${{matrix.language}}"
--- a/.github/workflows/detect-schema-changes.yaml
+++ b/.github/workflows/detect-schema-changes.yaml
@ -1,5 +1,3 @@
-# Note: this workflow has been disabled manually in the UI and will be replaced in short order
-
 name: "Detect schema changes"

 on:
@ -39,8 +37,6 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
-          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
-          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.

      - run: python .github/scripts/labeler.py
        env:
@ -50,7 +46,7 @@ jobs:

      - name: Delete existing comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
        with:
          header: ${{ env.COMMENT_HEADER }}
          hide: true
@ -58,7 +54,7 @@ jobs:

      - name: Add comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
        with:
          header: ${{ env.COMMENT_HEADER }}
          path: ${{ env.CI_COMMENT_FILE }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -193,7 +193,7 @@ jobs:
          artifact-name: sbom.spdx.json

      - name: Notify Slack of new release
-        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
        continue-on-error: true
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
--- a/.github/workflows/test-fixture-cache-publish.yaml
+++ b/.github/workflows/test-fixture-cache-publish.yaml
@ -0,0 +1,48 @@
+name: "Test fixture cache: publish"
+
+on:
+  workflow_dispatch:
+  schedule:
+    # run nightly at 4AM UTC
+    - cron: "0 4 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+
+  Publish:
+    name: "Publish test fixture image cache"
+    # runs-on.com: general purpose instances for building test fixture cache
+    #   spot disabled: can run up to an hour, avoid interruptions
+    #   s3-cache: faster actions cache
+    #   family: note that m*d instances have local nvme storage which is beneficial for building large test fixture images
+    runs-on: "runs-on=${{ github.run_id }}/cpu=8+16/ram=32+64/family=m5d+m5ad+m5dn+m6gd+m6id+m6idn+m7gd+m8gd/spot=false/extras=s3-cache"
+    if: github.repository == 'anchore/syft' # only run for main repo
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          # we want to rebuild the cache with no previous state
+          download-test-fixture-cache: false
+
+      - name: Run all tests
+        run: |
+          make test
+        env:
+          # we want to rebuild the cache with no previous state
+          DOWNLOAD_TEST_FIXTURE_CACHE: "false"
+
+      - name: Login to GitHub Container Registry (ORAS)
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
+        env:
+          ACTOR: ${{ github.actor }}
+
+      - name: Publish test fixture cache
+        run: make upload-test-fixture-cache
--- a/.github/workflows/update-anchore-dependencies.yml
+++ b/.github/workflows/update-anchore-dependencies.yml
@ -0,0 +1,51 @@
+name: PR to update Anchore dependencies
+on:
+  workflow_dispatch:
+    inputs:
+      repos:
+        description: "List of dependencies to update"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'anchore' # only run for main repo (not forks)
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          tools: false
+          bootstrap-apt-packages: ""
+
+      - name: Update dependencies
+        id: update
+        uses: anchore/workflows/.github/actions/update-go-dependencies@main
+        with:
+          repos: ${{ github.event.inputs.repos }}
+
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          draft: ${{ steps.update.outputs.draft }}
+          # do not change this branch, as other workflows depend on it
+          branch: auto/integration
+          labels: dependencies,pre-release
+          commit-message: "chore(deps): update anchore dependencies"
+          title: "chore(deps): update anchore dependencies"
+          body: ${{ steps.update.outputs.summary }}
+          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/update-bootstrap-tools.yml
+++ b/.github/workflows/update-bootstrap-tools.yml
@ -0,0 +1,67 @@
+name: PR for latest versions of tools
+on:
+  schedule:
+    - cron: "0 8 * * *" # 3 AM EST
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-bootstrap-tools:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          bootstrap-apt-packages: ""
+          go-dependencies: false
+
+      - name: "Update tool versions"
+        id: latest-versions
+        run: |
+          make update-tools
+          make list-tools
+          
+          export NO_COLOR=1
+          delimiter="$(openssl rand -hex 8)"
+          
+          {
+            echo "status<<${delimiter}"
+            make list-tool-updates
+            echo "${delimiter}"
+          } >> $GITHUB_OUTPUT
+          
+          {
+            echo "### Tool version status"
+            echo "\`\`\`"
+            make list-tool-updates
+            echo "\`\`\`"
+          } >> $GITHUB_STEP_SUMMARY
+
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-tools
+          labels: dependencies
+          commit-message: 'chore(deps): update tools to latest versions'
+          title: 'chore(deps): update tools to latest versions'
+          body: |
+            ```
+            ${{ steps.latest-versions.outputs.status }}
+            ```
+            This is an auto-generated pull request to update all of the tools to the latest versions.
+          token: ${{ steps.generate-token.outputs.token }}
--- a/.github/workflows/update-cpe-dictionary-index.yml
+++ b/.github/workflows/update-cpe-dictionary-index.yml
@ -0,0 +1,84 @@
+name: PR to update CPE dictionary index
+on:
+  schedule:
+    - cron: "0 1 * * 1" # every monday at 1 AM
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  SLACK_NOTIFICATIONS: true
+
+jobs:
+  upgrade-cpe-dictionary-index:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        id: bootstrap
+
+      - name: Login to GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
+        env:
+          ACTOR: ${{ github.actor }}
+
+      - name: Pull CPE cache from registry
+        run: make generate:cpe-index:cache:pull
+
+      - name: Update CPE cache from NVD API
+        run: make generate:cpe-index:cache:update
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+
+      - name: Generate CPE dictionary index
+        run: make generate:cpe-index:build
+
+      - name: Push updated CPE cache to registry
+        run: make generate:cpe-index:cache:push
+
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.TOKEN_APP_ID }}
+          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-cpe-dictionary-index
+          labels: dependencies
+          commit-message: "chore(deps): update CPE dictionary index"
+          title: "chore(deps): update CPE dictionary index"
+          body: |
+            Update CPE dictionary index based on the latest available CPE dictionary
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Notify Slack on failure
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        with:
+          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "Syft CPE dictionary index update failed"
+            blocks:
+              - type: section
+                text:
+                  type: mrkdwn
+                  text: |
+                    *Syft CPE dictionary index update failed*
+                    • Workflow: `${{ github.workflow }}`
+                    • Event: `${{ github.event_name }}`
+                    • Job Status: `${{ job.status }}`
+                    • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>
+        if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}
--- a/.github/workflows/update-spdx-license-list.yaml
+++ b/.github/workflows/update-spdx-license-list.yaml
@ -0,0 +1,64 @@
+name: PR to update SPDX license list
+on:
+  schedule:
+    - cron: "0 6 * * 1" # every monday at 6 AM UTC
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  SLACK_NOTIFICATIONS: true
+
+jobs:
+  upgrade-spdx-license-list:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
+      - run: |
+          make generate-license-list
+
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-spdx-license-list
+          labels: dependencies
+          commit-message: "chore(deps): update SPDX license list"
+          title: "chore(deps): update SPDX license list"
+          body: |
+            Update SPDX license list based on the latest available list from spdx.org
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Notify Slack on failure
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        with:
+          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: "Syft SPDX license list update failed"
+            blocks:
+              - type: section
+                text:
+                  type: mrkdwn
+                  text: |
+                    *Syft SPDX license list update failed*
+                    • Workflow: `${{ github.workflow }}`
+                    • Event: `${{ github.event_name }}`
+                    • Job Status: `${{ job.status }}`
+                    • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>
+        if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}
--- a/.github/workflows/validate-github-actions.yaml
+++ b/.github/workflows/validate-github-actions.yaml
@ -1,8 +1,10 @@
 name: "Validate GitHub Actions"

 on:
-  workflow_dispatch:
  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
  push:
    branches:
      - main
@ -26,8 +28,9 @@ jobs:
          persist-credentials: false

      - name: "Run zizmor"
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
        with:
-          # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
-          advanced-security: true
+          config: .github/zizmor.yml
+          # Disable SARIF upload so the step is a simple pass/fail gate
+          advanced-security: false
          inputs: .github
--- a/SECURITY.md
+++ b/SECURITY.md
@ -14,23 +14,3 @@ affected versions, and, if known, mitigations for the issue.
 All support will be made on a best effort basis, so please indicate the "urgency level" of the vulnerability as Critical, High, Medium or Low.

 For more details, see our [security policy documentation](https://oss.anchore.com/docs/contributing/security/).
-
-## Trust Boundary
-
-Syft is a tool to scan content and product an SBOM. Syft is not a tool designed to scan malicious content. Detecting and properly reporting on purposely malicious artifacts is outside the scope of Syft's expected operating environment.
-
-There are many possible ways for malicious content to cause Syft to become confused or fail to include results in an SBOM. We do not consider this to be a security vulnerability.
-
-**Examples**
- Removing or altering a package lock file
- Removing or altering an RPM or DEB database
- A malicious archive that Syft will skip but the runtime may not
- Self modifying systems that change state when running
-
-We consider the security trust boundary for Syft to be anything that causes problems for the overall system running Syft, or Syft operating in a way that is dangerous to itself, the system, or the operator.
-
-**Examples**
- Filling up temp space permanently
- Syft executing arbitrary code when scanning an artifact
- Syft leaking secrets from the environment or configuration files into logs or SBOMs
- Syft operating outside of the expected artifact or directory (directory traversal)
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@ -10,8 +10,7 @@ vars:

  # v1: when fixtures were located at test-fixtures dirs
  # v2: migration to testdata dirs
-  CACHE_REPO: oss-cache
-  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .CACHE_REPO }}/syft-test-fixture-cache:v2
+  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .PROJECT }}/test-fixture-cache:v2

  # static file dirs
  TOOL_DIR: .tool
@ -425,7 +424,7 @@ tasks:
      done
      oras_command+=" {{ .CACHE_PATHS_FILE }}"

-      oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CACHE_REPO }}"
+      oras_command+=" --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }}"
      oras_command+=" --annotation fingerprint=$(cat {{ .CACHE_PATHS_FILE }} | {{ .YQ }} -r '.digest')"

      echo "Executing: $oras_command"
--- a/go.mod
+++ b/go.mod
@ -37,7 +37,7 @@ require (
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5
 	github.com/github/go-spdx/v2 v2.4.0
-	github.com/gkampitakis/go-snaps v0.5.21
+	github.com/gkampitakis/go-snaps v0.5.20
 	github.com/go-git/go-billy/v5 v5.8.0
 	github.com/go-git/go-git/v5 v5.17.0
 	github.com/go-test/deep v1.1.1
@ -88,7 +88,7 @@ require (
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/mod v0.34.0
 	golang.org/x/net v0.52.0
-	modernc.org/sqlite v1.46.2
+	modernc.org/sqlite v1.46.1
 )

 require (
@ -263,7 +263,7 @@ require (
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/libc v1.70.0 // indirect
+	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -414,8 +414,8 @@ github.com/github/go-spdx/v2 v2.4.0 h1:+4IwVwJJbm3rzvrQ6P1nI9BDMcy3la4RchRy5uehV
 github.com/github/go-spdx/v2 v2.4.0/go.mod h1:/5rwgS0txhGtRdUZwc02bTglzg6HK3FfuEbECKlK2Sg=
 github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
 github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
-github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y=
-github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
+github.com/gkampitakis/go-snaps v0.5.20 h1:FGKonEeQPJ12t7RQj6cTPa881fl5c8HYarMLv5vP7sg=
+github.com/gkampitakis/go-snaps v0.5.20/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
 github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
 github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@ -1514,18 +1514,18 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
 modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
-modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
-modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
-modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
+modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
+modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
-modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
+modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
+modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@ -1534,8 +1534,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.46.2 h1:gkXQ6R0+AjxFC/fTDaeIVLbNLNrRoOK7YYVz5BKhTcE=
-modernc.org/sqlite v1.46.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
+modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go
+++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go
@ -61,28 +61,6 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("arangodb-binary"),
 			},
 		},
-		{
-			logicalFixture: "arangodb/3.12.5/linux-amd64",
-			expected: pkg.Package{
-				Name:      "arangodb",
-				Version:   "3.12.5",
-				Type:      "binary",
-				PURL:      "pkg:generic/arangodb@3.12.5",
-				Locations: locations("arangosh"),
-				Metadata:  metadata("arangodb-binary"),
-			},
-		},
-		{
-			logicalFixture: "arangodb/3.12.5-2/linux-amd64",
-			expected: pkg.Package{
-				Name:      "arangodb",
-				Version:   "3.12.5-2",
-				Type:      "binary",
-				PURL:      "pkg:generic/arangodb@3.12.5-2",
-				Locations: locations("arangosh"),
-				Metadata:  metadata("arangodb-binary"),
-			},
-		},
 		{
 			logicalFixture: "postgres/15beta4/linux-amd64",
 			expected: pkg.Package{
@ -749,16 +727,6 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 		{
 			// TODO: find original binary...
 			// note: cannot find the original binary, using a custom snippet based on the original snippet in the repo
-			logicalFixture: "go-version-hint/1.15-dev/any",
-			expected: pkg.Package{
-				Name:      "go",
-				Version:   "1.15",
-				PURL:      "pkg:generic/go@1.15",
-				Locations: locations("bin/go", "VERSION"),
-				Metadata:  metadata("go-binary"),
-			},
-		},
-		{
 			logicalFixture: "go-version-hint/1.15/any",
 			expected: pkg.Package{
 				Name:      "go",
--- a/syft/pkg/cataloger/binary/classifiers.go
+++ b/syft/pkg/cataloger/binary/classifiers.go
@ -76,10 +76,10 @@ func DefaultClassifiers() []binutils.Classifier {
 					`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+)?)\x00`),
 				binutils.SupportingEvidenceMatcher("VERSION*",
 					m.FileContentsVersionMatcher(
-						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)`)),
+						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)\s`)),
 				binutils.SupportingEvidenceMatcher("../VERSION*",
 					m.FileContentsVersionMatcher(
-						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)`)),
+						`(?m)go(?P<version>[0-9]+\.[0-9]+(\.[0-9]+|beta[0-9]+|alpha[0-9]+|rc[0-9]+|-[_0-9a-z]+)?)\s`)),
 			),
 			Package: "go",
 			PURL:    mustPURL("pkg:generic/go@version"),
@ -232,7 +232,7 @@ func DefaultClassifiers() []binutils.Classifier {
 			Class:    "arangodb-binary",
 			FileGlob: "**/arangosh",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)\x00*(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?)\s(enterprise\s)?\[linux\]`),
+				`(?m)\x00*(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?)\s\[linux\]`),
 			Package: "arangodb",
 			PURL:    mustPURL("pkg:generic/arangodb@version"),
 			CPEs:    singleCPE("cpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
--- a/syft/pkg/cataloger/binary/testdata/capture-snippet.sh
+++ b/syft/pkg/cataloger/binary/testdata/capture-snippet.sh
@ -151,4 +151,4 @@ while $CONTINUE_LOOP; do

 done

-go run ../internal/manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION"
+go run ./manager write-snippet "$BINARY_FILE" --offset "$OFFSET" --length "$LENGTH" --name "$GROUP_NAME" --version "$VERSION"
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5-2/linux-amd64/arangosh
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5-2/linux-amd64/arangosh
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5/linux-amd64/arangosh
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/arangodb/3.12.5/linux-amd64/arangosh
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/VERSION
@ -1 +0,0 @@
-go1.15 Fri 2003
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15-dev/any/bin/go
@ -1 +0,0 @@
-no version in this binary
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/1.15/any/VERSION
@ -1 +1 @@
-go1.15
+go1.15 Fri 2003
--- a/syft/pkg/cataloger/binary/testdata/config.yaml
+++ b/syft/pkg/cataloger/binary/testdata/config.yaml
@ -458,20 +458,6 @@ from-images:
        platform: linux/amd64
    paths:
      - /usr/bin/arangosh
-  - name: arangodb
-    version: 3.12.5
-    images:
-      - ref: arangodb:3.12.5@sha256:1f9278fe17b200cf3aea2c7bd7fd571221b5b41a49b835a397c47eb970c952d6
-        platform: linux/amd64
-    paths:
-      - /usr/bin/arangosh
-  - name: arangodb
-    version: 3.12.5-2
-    images:
-      - ref: arangodb:3.12.5.2@sha256:5b0d1d2911ea864ea61d7e2357789004fe912606f5980cf481739601d7cb17a1
-        platform: linux/amd64
-    paths:
-      - /usr/bin/arangosh
  - version: 15.1
    images:
      - ref: postgres:15.1@sha256:b4140dd3a62f364f16a82c1bd88d28b9887ecb47f07dbe2941237d073574d428
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
@ -22,9 +22,6 @@
      "github.com/apptainer/apptainer": [
        "cpe:2.3:a:lfprojects:apptainer:*:*:*:*:*:go:*:*"
      ],
-      "github.com/aquasecurity/trivy/pkg/types": [
-        "cpe:2.3:a:aquasec:trivy:*:*:*:*:*:go:*:*"
-      ],
      "github.com/argoproj/argo-workflows/v3": [
        "cpe:2.3:a:argoproj:argo_workflows:*:*:*:*:*:go:*:*"
      ],
@ -55,12 +52,6 @@
      "github.com/ecnepsnai/web": [
        "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*"
      ],
-      "github.com/free5gc/amf": [
-        "cpe:2.3:a:free5gc:amf:*:*:*:*:*:go:*:*"
-      ],
-      "github.com/free5gc/go-upf": [
-        "cpe:2.3:a:free5gc:go-upf:*:*:*:*:*:go:*:*"
-      ],
      "github.com/free5gc/smf": [
        "cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*"
      ],
@ -1274,9 +1265,6 @@
      "literate": [
        "cpe:2.3:a:jenkins:literate:*:*:*:*:*:jenkins:*:*"
      ],
-      "loadninja": [
-        "cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*"
-      ],
      "lockable-resources": [
        "cpe:2.3:a:jenkins:lockable_resources:*:*:*:*:*:jenkins:*:*"
      ],
@ -2326,9 +2314,6 @@
      "@ckeditor/ckeditor5-widget": [
        "cpe:2.3:a:ckeditor:ckeditor5-widget:*:*:*:*:*:node.js:*:*"
      ],
-      "@coding-solo/godot-mcp": [
-        "cpe:2.3:a:coding-solo:godot_mcp:*:*:*:*:*:*:*:*"
-      ],
      "@cookiex/deep": [
        "cpe:2.3:a:cookiex-deep_project:cookiex-deep:*:*:*:*:*:node.js:*:*"
      ],
@ -2492,12 +2477,6 @@
      "@thi.ng/egf": [
        "cpe:2.3:a:\\@thi.ng\\/egf_project:\\@thi.ng\\/egf:*:*:*:*:*:node.js:*:*"
      ],
-      "@tinacms/cli": [
-        "cpe:2.3:a:ssw:tinacms\\/cli:*:*:*:*:*:node.js:*:*"
-      ],
-      "@tinacms/graphql": [
-        "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*"
-      ],
      "@tiptap/extension-link": [
        "cpe:2.3:a:tiptap:tiptap\\/extension-link:*:*:*:*:*:node.js:*:*"
      ],
@ -3097,9 +3076,6 @@
      "defaults-deep": [
        "cpe:2.3:a:defaults-deep_project:defaults-deep:*:*:*:*:*:node.js:*:*"
      ],
-      "defuddle": [
-        "cpe:2.3:a:kepano:defuddle:*:*:*:*:*:node.js:*:*"
-      ],
      "desafio": [
        "cpe:2.3:a:desafio_project:desafio:*:*:*:*:*:node.js:*:*"
      ],
@ -3303,9 +3279,6 @@
      "express-openid-connect": [
        "cpe:2.3:a:auth0:express_openid_connect:*:*:*:*:*:node.js:*:*"
      ],
-      "express-rate-limit": [
-        "cpe:2.3:a:express-rate-limit:express-rate-limit:*:*:*:*:*:node.js:*:*"
-      ],
      "express-restify-mongoose": [
        "cpe:2.3:a:express-restify-mongoose_project:express-restify-mongoose:*:*:*:*:*:node.js:*:*"
      ],
@ -3388,7 +3361,7 @@
        "cpe:2.3:a:fibjs_project:fibjs:*:*:*:*:*:node.js:*:*"
      ],
      "file-type": [
-        "cpe:2.3:a:sindresorhus:file-type:*:*:*:*:*:node.js:*:*"
+        "cpe:2.3:a:file-type_project:file-type:*:*:*:*:*:node.js:*:*"
      ],
      "file-upload-with-preview": [
        "cpe:2.3:a:johndatserakis:file-upload-with-preview:*:*:*:*:*:node.js:*:*"
@ -3638,9 +3611,6 @@
      "hapi-auth-jwt2": [
        "cpe:2.3:a:hapi-auth-jwt2_project:hapi-auth-jwt2:*:*:*:*:*:node.js:*:*"
      ],
-      "happy-dom": [
-        "cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:nodejs:*:*"
-      ],
      "harp": [
        "cpe:2.3:a:npmjs:harp:*:*:*:*:*:*:*:*"
      ],
@ -4187,9 +4157,6 @@
      "madlib-object-utils": [
        "cpe:2.3:a:springtree:madlib-object-utils:*:*:*:*:*:node.js:*:*"
      ],
-      "mailparser": [
-        "cpe:2.3:a:nodemailer:mailparser:*:*:*:*:*:node.js:*:*"
-      ],
      "makerjs": [
        "cpe:2.3:a:microsoft:maker.js:*:*:*:*:*:node.js:*:*"
      ],
@ -4431,8 +4398,7 @@
        "cpe:2.3:a:mystem3_project:mystem3:*:*:*:*:*:node.js:*:*"
      ],
      "n8n": [
-        "cpe:2.3:a:n8n:n8n:*:*:*:*:community:node.js:*:*",
-        "cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:*"
+        "cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*"
      ],
      "nanoid": [
        "cpe:2.3:a:nanoid_project:nanoid:*:*:*:*:*:node.js:*:*"
@ -5351,9 +5317,6 @@
      "sly07": [
        "cpe:2.3:a:sly07_project:sly07:*:*:*:*:*:node.js:*:*"
      ],
-      "sm-crypto": [
-        "cpe:2.3:a:juneandgreen:sm-crypto:*:*:*:*:*:node.js:*:*"
-      ],
      "smb": [
        "cpe:2.3:a:smb_project:smb:*:*:*:*:*:node.js:*:*"
      ],
@ -5513,9 +5476,6 @@
      "terminal-kit": [
        "cpe:2.3:a:terminal-kit_project:terminal-kit:*:*:*:*:*:node.js:*:*"
      ],
-      "terriajs-server": [
-        "cpe:2.3:a:terria:terriajs-server:*:*:*:*:*:node.js:*:*"
-      ],
      "terser": [
        "cpe:2.3:a:terser:terser:*:*:*:*:*:node.js:*:*"
      ],
@ -5531,9 +5491,6 @@
      "timespan": [
        "cpe:2.3:a:timespan_project:timespan:*:*:*:*:*:node.js:*:*"
      ],
-      "tinacms": [
-        "cpe:2.3:a:ssw:tinacms:*:*:*:*:*:node.js:*:*"
-      ],
      "tiny-conf": [
        "cpe:2.3:a:tiny-conf_project:tiny-conf:*:*:*:*:*:node.js:*:*"
      ],
@ -5642,9 +5599,6 @@
      "ungit": [
        "cpe:2.3:a:ungit_project:ungit:*:*:*:*:*:node.js:*:*"
      ],
-      "unhead": [
-        "cpe:2.3:a:unjs:unhead:*:*:*:*:*:node.js:*:*"
-      ],
      "unicode": [
        "cpe:2.3:a:unicode_project:unicode:*:*:*:*:*:node.js:*:*"
      ],
@ -6026,9 +5980,6 @@
      "b2sdk": [
        "cpe:2.3:a:backblaze:b2-sdk-python:*:*:*:*:*:*:*:*"
      ],
-      "black": [
-        "cpe:2.3:a:python:black:*:*:*:*:*:python:*:*"
-      ],
      "blackduck": [
        "cpe:2.3:a:synopsys:hub-rest-api-python:*:*:*:*:*:*:*:*"
      ],
@ -6096,9 +6047,6 @@
      "datapizza-ai": [
        "cpe:2.3:a:datapizza:datapizza_ai:*:*:*:*:*:*:*:*"
      ],
-      "dbt-common": [
-        "cpe:2.3:a:getdbt:dbt-common:*:*:*:*:*:*:*:*"
-      ],
      "decorator": [
        "cpe:2.3:a:python:decorator:*:*:*:*:*:*:*:*"
      ],
@ -6232,9 +6180,6 @@
      "marshmallow": [
        "cpe:2.3:a:marshmallow_project:marshmallow:*:*:*:*:*:python:*:*"
      ],
-      "mcp-memory-service": [
-        "cpe:2.3:a:doobidoo:mcp-memory-service:*:*:*:*:*:*:*:*"
-      ],
      "mltable": [
        "cpe:2.3:a:microsoft:azure_machine_learning_software_development_kit:*:*:*:*:*:*:*:*"
      ],
@ -6433,9 +6378,6 @@
      "scoptrial": [
        "cpe:2.3:a:scoptrial_project:scoptrial:*:*:*:*:*:pypi:*:*"
      ],
-      "semantic-kernel": [
-        "cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*"
-      ],
      "sentry-sdk": [
        "cpe:2.3:a:sentry:sentry_software_development_kit:*:*:*:*:*:python:*:*"
      ],
@ -6685,9 +6627,6 @@
      "gon": [
        "cpe:2.3:a:gon_project:gon:*:*:*:*:*:ruby:*:*"
      ],
-      "graphiti": [
-        "cpe:2.3:a:graphiti:graphiti:*:*:*:*:*:ruby:*:*"
-      ],
      "gyazo": [
        "cpe:2.3:a:gyazo_project:gyazo:*:*:*:*:*:ruby:*:*"
      ],
@ -7069,12 +7008,6 @@
      "aws-lc-fips-sys": [
        "cpe:2.3:a:amazon:aws-lc-fips-sys:*:*:*:*:*:rust:*:*"
      ],
-      "aws-lc-rs": [
-        "cpe:2.3:a:amazon:aws-lc-rs:*:*:*:*:*:rust:*:*"
-      ],
-      "aws-lc-sys": [
-        "cpe:2.3:a:amazon:aws-lc-sys:*:*:*:*:*:rust:*:*"
-      ],
      "axum-core": [
        "cpe:2.3:a:axum-core_project:axum-core:*:*:*:*:*:rust:*:*"
      ],
@ -9253,9 +9186,6 @@
      "bravo-translate": [
        "cpe:2.3:a:guelbetech:bravo_translate:*:*:*:*:*:wordpress:*:*"
      ],
-      "bread-butter": [
-        "cpe:2.3:a:breadbutter:bread_\\\u0026_butter:*:*:*:*:*:wordpress:*:*"
-      ],
      "breadcrumbs-by-menu": [
        "cpe:2.3:a:holest:breadcrumbs_by_menu:*:*:*:*:*:wordpress:*:*"
      ],
@ -10109,9 +10039,6 @@
      "contact-form-7-paypal-add-on": [
        "cpe:2.3:a:wpplugin:paypal_\\\u0026_stripe_add-on:*:*:*:*:*:wordpress:*:*"
      ],
-      "contact-form-7-recaptcha": [
-        "cpe:2.3:a:iambriansreed:contact_form_7_recaptcha:*:*:*:*:*:wordpress:*:*"
-      ],
      "contact-form-7-simple-recaptcha": [
        "cpe:2.3:a:contact_form_7_captcha_project:contact_form_7_captcha:*:*:*:*:*:wordpress:*:*"
      ],
--- a/task.d/generate/cpe-index.yaml
+++ b/task.d/generate/cpe-index.yaml
@ -2,15 +2,14 @@ version: "3"

 vars:
  CPE_CACHE_DIR: "syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/.cpe-cache"
-  CPE_CACHE_REGISTRY: "ghcr.io/anchore/oss-cache/cpe-cache:latest"
-  CPE_CACHE_REPO: "oss-cache"
+  CPE_CACHE_REGISTRY: "ghcr.io/anchore/syft/cpe-cache:latest"
  CPE_INDEX_OUTPUT: "syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json"
  CPE_GENERATOR_DIR: "syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator"

 tasks:
  cache:pull:
-    desc: Pull CPE cache from ORAS registry (ghcr.io/anchore/oss-cache/cpe-cache:latest)
-    deps: [':tools']
+    desc: Pull CPE cache from ORAS registry (ghcr.io/anchore/syft/cpe-cache:latest)
+    # deps: [tools]
    cmds:
      - cmd: |
          set -eu
@ -117,7 +116,7 @@ tasks:
          # push compressed files to ORAS (from cache directory, so only basenames are used)
          echo "Pushing compressed files to registry..."
          "$oras_bin" push {{ .CPE_CACHE_REGISTRY }} $compressed_files \
-            --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .CPE_CACHE_REPO }} \
+            --annotation org.opencontainers.image.source=https://github.com/{{ .OWNER }}/{{ .PROJECT }} \
            --annotation org.opencontainers.image.created=$(date -u +"%Y-%m-%dT%H:%M:%SZ")

          # clean up compressed files