chore(deps): update CPE dictionary index (#4715)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>

.binny.yaml

@@ -2,7 +2,7 @@ tools:
   # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
   - name: binny
     version:
-      want: v0.11.3
+      want: v0.12.0
     method: github-release
     with:
       repo: anchore/binny
@@ -18,7 +18,7 @@ tools:
   # used to sign mac binaries at release
   - name: quill
     version:
-      want: v0.5.1
+      want: v0.7.1
     method: github-release
     with:
       repo: anchore/quill
@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v2.9.0
+      want: v2.11.4
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -42,7 +42,7 @@ tools:
   # used for signing the checksums file at release
   - name: cosign
     version:
-      want: v3.0.4
+      want: v3.0.5
     method: github-release
     with:
       repo: sigstore/cosign
@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v2.13.3
+      want: v2.15.1
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -90,7 +90,7 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.48.0
+      want: v3.49.1
     method: github-release
     with:
       repo: go-task/task
@@ -98,7 +98,7 @@ tools:
   # used for triggering a release
   - name: gh
     version:
-      want: v2.86.0
+      want: v2.89.0
     method: github-release
     with:
       repo: cli/cli
@@ -106,7 +106,7 @@ tools:
   # used to upload test fixture cache
   - name: oras
     version:
-      want: v1.3.0
+      want: v1.3.1
     method: github-release
     with:
       repo: oras-project/oras
@@ -114,7 +114,7 @@ tools:
   # used to upload test fixture cache
   - name: yq
     version:
-      want: v4.52.4
+      want: v4.52.5
     method: github-release
     with:
       repo: mikefarah/yq

.github/actions/bootstrap/action.yaml

@@ -5,7 +5,7 @@ inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.25.x"
+    default: "1.26.x"
   go-dependencies:
     description: "Download go dependencies"
     required: true
@@ -29,7 +29,7 @@ runs:
   using: "composite"
   steps:
     # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}

.github/dependabot.yml

@@ -23,6 +23,11 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    ignore:
+      - dependency-name: "github.com/aquasecurity/go-pep440-version"
+      - dependency-name: "github.com/aquasecurity/go-version"
+      - dependency-name: "github.com/knqyf263/go-apk-version"
+      - dependency-name: "github.com/knqyf263/go-deb-version"
     groups:
       go-minor-patch:
         applies-to: version-updates  # security updates get individual PRs

.github/scripts/capability-drift-check.sh

@@ -6,7 +6,7 @@ if [ "$(git status --porcelain | wc -l)" -ne "0" ]; then
   exit 1
 fi
 
-if ! make generate-capabilities; then
+if ! make generate-capabilities REFRESH=false; then
   echo "Generating capability descriptions failed"
   exit 1
 fi

.github/scripts/fingerprint_docker_fixtures.py

@@ -33,9 +33,9 @@ def is_git_tracked_or_untracked(directory):
 
 
 def find_test_fixture_dirs_with_images(base_dir):
-    """Find directories that contain 'test-fixtures' and at least one 'image-*' directory."""
+    """Find directories that contain 'testdata' and at least one 'image-*' directory."""
     for root, dirs, files in os.walk(base_dir):
-        if 'test-fixtures' in root:
+        if 'testdata' in root:
             image_dirs = [d for d in dirs if d.startswith('image-')]
             if image_dirs:
                 yield os.path.realpath(root)

.github/workflows/codeql-analysis.yml

@@ -41,14 +41,14 @@ jobs:
         persist-credentials: false
 
     - name: Install Go
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 #v6.2.0
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
       with:
         go-version-file: go.mod
         check-latest: true
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +59,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6

.github/workflows/detect-schema-changes.yaml

@@ -37,6 +37,8 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
+          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
+          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
 
       - run: python .github/scripts/labeler.py
         env:
@@ -46,7 +48,7 @@ jobs:
 
       - name: Delete existing comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
         with:
           header: ${{ env.COMMENT_HEADER }}
           hide: true
@@ -54,7 +56,7 @@ jobs:
 
       - name: Add comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 #v3.0.2
         with:
           header: ${{ env.COMMENT_HEADER }}
           path: ${{ env.CI_COMMENT_FILE }}

.github/workflows/release.yaml

@@ -150,13 +150,13 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Login to Docker Hub
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  #v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  #v4.0.0
         with:
           username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
           password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  #v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  #v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -186,14 +186,14 @@ jobs:
           # for updating brew formula in anchore/homebrew-syft
           GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
 
-      - uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad #v0.22.2
+      - uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 #v0.23.0
         continue-on-error: true
         with:
           file: go.mod
           artifact-name: sbom.spdx.json
 
       - name: Notify Slack of new release
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
         continue-on-error: true
         with:
           webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}

.github/workflows/update-anchore-dependencies.yml

@@ -31,7 +31,7 @@ jobs:
         with:
           repos: ${{ github.event.inputs.repos }}
 
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 #v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.TOKEN_APP_ID }}

.github/workflows/update-bootstrap-tools.yml

@@ -45,7 +45,7 @@ jobs:
             echo "\`\`\`"
           } >> $GITHUB_STEP_SUMMARY
 
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 #v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.TOKEN_APP_ID }}

.github/workflows/update-cpe-dictionary-index.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Push updated CPE cache to registry
         run: make generate:cpe-index:cache:push
 
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 #v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.TOKEN_APP_ID }}
@@ -65,7 +65,7 @@ jobs:
           token: ${{ steps.generate-token.outputs.token }}
 
       - name: Notify Slack on failure
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
         with:
           webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
           webhook-type: incoming-webhook

.github/workflows/update-spdx-license-list.yaml

@@ -45,7 +45,7 @@ jobs:
           token: ${{ steps.generate-token.outputs.token }}
 
       - name: Notify Slack on failure
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
+        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
         with:
           webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
           webhook-type: incoming-webhook

.github/workflows/validations.yaml

@@ -58,6 +58,9 @@ jobs:
       - name: Run unit tests
         run: make unit
 
+      - name: Check for capability drift
+        run: make check-capability-drift
+
   Integration-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Integration tests"
@@ -106,7 +109,7 @@ jobs:
         run: make snapshot-smoke-test
 
       - name: Upload snapshot artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f #v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
         with:
           name: snapshot
           path: snapshot/
@@ -131,7 +134,7 @@ jobs:
           download-test-fixture-cache: true
 
       - name: Download snapshot artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
         with:
           name: snapshot
           path: snapshot
@@ -175,7 +178,7 @@ jobs:
           download-test-fixture-cache: true
 
       - name: Download snapshot artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
         with:
           name: snapshot
           path: snapshot
@@ -208,7 +211,7 @@ jobs:
           download-test-fixture-cache: true
 
       - name: Download snapshot artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 #v7.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 #v8.0.0
         with:
           name: snapshot
           path: snapshot

.gitignore

@@ -37,6 +37,7 @@ VERSION
 coverage.txt
 *.log
 **/test-fixtures/test-observations.json
+**/testdata/test-observations.json
 
 # probable archives
 .images

SECURITY.md

@@ -14,3 +14,23 @@ affected versions, and, if known, mitigations for the issue.
 All support will be made on a best effort basis, so please indicate the "urgency level" of the vulnerability as Critical, High, Medium or Low.
 
 For more details, see our [security policy documentation](https://oss.anchore.com/docs/contributing/security/).
+
+## Trust Boundary
+
+Syft is a tool to scan content and product an SBOM. Syft is not a tool designed to scan malicious content. Detecting and properly reporting on purposely malicious artifacts is outside the scope of Syft's expected operating environment.
+
+There are many possible ways for malicious content to cause Syft to become confused or fail to include results in an SBOM. We do not consider this to be a security vulnerability.
+
+**Examples**
+- Removing or altering a package lock file
+- Removing or altering an RPM or DEB database
+- A malicious archive that Syft will skip but the runtime may not
+- Self modifying systems that change state when running
+
+We consider the security trust boundary for Syft to be anything that causes problems for the overall system running Syft, or Syft operating in a way that is dangerous to itself, the system, or the operator.
+
+**Examples**
+- Filling up temp space permanently
+- Syft executing arbitrary code when scanning an artifact
+- Syft leaking secrets from the environment or configuration files into logs or SBOMs
+- Syft operating outside of the expected artifact or directory (directory traversal)

Taskfile.yaml

@@ -8,7 +8,9 @@ vars:
   OWNER: anchore
   PROJECT: syft
 
-  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .PROJECT }}/test-fixture-cache:latest
+  # v1: when fixtures were located at test-fixtures dirs
+  # v2: migration to testdata dirs
+  CACHE_IMAGE: ghcr.io/{{ .OWNER }}/{{ .PROJECT }}/test-fixture-cache:v2
 
   # static file dirs
   TOOL_DIR: .tool
@@ -73,7 +75,6 @@ tasks:
       - task: check-licenses
       - task: lint
       - task: check-json-schema-drift
-      - task: check-capability-drift
       - task: check-binary-fixture-size
 
   test:
@@ -199,7 +200,7 @@ tasks:
   check-binary-fixture-size:
     desc: Ensure that the binary test fixtures are not too large
     cmds:
-      - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/test-fixtures/classifiers/snippets
+      - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/testdata/classifiers/snippets
 
 
   ## Testing tasks #################################
@@ -266,9 +267,9 @@ tasks:
   fingerprints:
     desc: Generate fingerprints for all non-docker test fixture
     silent: true
-    # this will look for `test-fixtures/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
+    # this will look for `testdata/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
     generates:
-      - '**/test-fixtures/**/*.fingerprint'
+      - '**/testdata/**/*.fingerprint'
       - test/install/cache.fingerprint
     cmds:
       - |
@@ -277,7 +278,7 @@ tasks:
         RESET='\033[0m'
 
         echo -e "${YELLOW}creating fingerprint files for non-docker fixtures...${RESET}"
-        for dir in $(find . -type d -name 'test-fixtures'); do
+        for dir in $(find . -type d -name 'testdata'); do
           if [ -f "$dir/Makefile" ]; then
             # for debugging...
             #echo -e "${YELLOW}• calculating fingerprints in $dir... ${RESET}"
@@ -370,7 +371,7 @@ tasks:
   build-fixtures:
     desc: Generate all non-docker test fixtures
     silent: true
-    # this will look for `test-fixtures/Makefile` and invoke the `fixtures` target to generate any and all test fixtures
+    # this will look for `testdata/Makefile` and invoke the `fixtures` target to generate any and all test fixtures
     cmds:
       - |
         # we want to stop on the first build error
@@ -381,7 +382,7 @@ tasks:
         RESET='\033[0m'
 
         # Use a for loop with command substitution to avoid subshell issues
-        for dir in $(find . -type d -name 'test-fixtures'); do
+        for dir in $(find . -type d -name 'testdata'); do
           if [ -f "$dir/Makefile" ]; then
             echo -e "${YELLOW}${BOLD}generating fixtures in $dir${RESET}"
             make -C "$dir" fixtures
@@ -435,7 +436,7 @@ tasks:
       - "echo 'Docker daemon cache:'"
       - "docker images --format '{{`{{.ID}}`}} {{`{{.Repository}}`}}:{{`{{.Tag}}`}}' | grep stereoscope-fixture- | sort"
       - "echo '\nTar cache:'"
-      - 'find . -type f -wholename "**/test-fixtures/cache/stereoscope-fixture-*.tar" | sort'
+      - 'find . -type f -wholename "**/testdata/cache/stereoscope-fixture-*.tar" | sort'
 
   check-docker-cache:
     desc: Ensure docker caches aren't using too much disk space
@@ -469,7 +470,7 @@ tasks:
       - "cd test/install && make ci-test-mac"
 
   generate-compare-file:
-    cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/test-fixtures/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
+    cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/testdata/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
 
   compare-mac:
     deps: [tmpdir]
@@ -537,11 +538,16 @@ tasks:
     deps:
       - tmpdir
       - fixtures
+    vars:
+      # set REFRESH=true to run package tests first and refresh test observations (default: true)
+      REFRESH: '{{ .REFRESH | default "true" }}'
     cmds:
       # remove all test observations prior to regenerating
       - task: clean-test-observations
+        if: '{{ eq .REFRESH "true" }}'
       # this is required to update test observations; such evidence is used to update the packages/*.yaml
-      - "go test ./syft/pkg/... -count=1"
+      - cmd: "go test ./syft/pkg/... -count=1"
+        if: '{{ eq .REFRESH "true" }}'
       - "go generate ./internal/capabilities/..."
       - "gofmt -s -w ./internal/capabilities"
       # now that we have the latest capabilities, run completeness tests to ensure this is self-consistent
@@ -639,6 +645,15 @@ tasks:
 
   ## Cleanup targets #################################
 
+  clean:
+    desc: Remove all cache files and old builds
+    cmds:
+      - task: clean-snapshot
+      - task: clean-cache
+      - task: clean-test-observations
+      - task: clean-docker-cache
+      - task: clean-oras-cache
+
   clean-snapshot:
     desc: Remove any snapshot builds
     cmds:
@@ -648,7 +663,7 @@ tasks:
   clean-docker-cache:
     desc: Remove all docker cache tars and images from the daemon
     cmds:
-      - find . -type d -wholename "**/test-fixtures/cache" | xargs rm -rf
+      - find . -type d -wholename "**/testdata/cache" | xargs rm -rf
       - docker images --format '{{`{{.ID}}`}} {{`{{.Repository}}`}}' | grep stereoscope-fixture- | awk '{print $1}' | uniq | xargs -r docker rmi --force
 
   clean-oras-cache:
@@ -665,7 +680,7 @@ tasks:
         RESET='\033[0m'
 
         # Use a for loop with command substitution to avoid subshell issues
-        for dir in $(find . -type d -name 'test-fixtures'); do
+        for dir in $(find . -type d -name 'testdata'); do
         if [ -f "$dir/Makefile" ]; then
           echo -e "${YELLOW}${BOLD}deleting ephemeral test fixtures in $dir${RESET}"
           (make -C "$dir" clean)
@@ -675,6 +690,6 @@ tasks:
       - rm -f {{ .LAST_CACHE_PULL_FILE }} {{ .CACHE_PATHS_FILE }}
 
   clean-test-observations:
-    desc: Remove all test observations (i.e. test-fixtures/test-observations.json)
+    desc: Remove all test observations (i.e. testdata/test-observations.json)
     cmds:
-      - find . -type f -wholename "**/test-fixtures/test-observations.json" | xargs rm -f
+      - find . -type f -wholename "**/testdata/test-observations.json" | xargs rm -f

cmd/syft/cli/ui/handle_attestation.go

@@ -219,7 +219,7 @@ func (l attestLogFrame) View() string {
 	sb := strings.Builder{}
 
 	for _, line := range l.lines {
-		sb.WriteString(fmt.Sprintf("     %s %s\n", l.borderStype.Render("░░"), line))
+		fmt.Fprintf(&sb, "     %s %s\n", l.borderStype.Render("░░"), line)
 	}
 
 	return sb.String()

cmd/syft/internal/clio_setup_config.go

@@ -49,7 +49,7 @@ func AppClioSetupConfig(id clio.Identification, out io.Writer) *clio.SetupConfig
 			},
 		).
 		WithPostRuns(func(_ *clio.State, _ error) {
-			stereoscope.Cleanup()
+			stereoscope.Cleanup() //nolint:staticcheck // we don't have access to the image object here
 		})
 	return clioCfg
 }

cmd/syft/internal/commands/scan_test.go

@@ -19,30 +19,30 @@ func Test_scanOptions_validateLegacyOptionsNotUsed(t *testing.T) {
 		},
 		{
 			name: "config file with no legacy options",
-			cfg:  "test-fixtures/scan-configs/no-legacy-options.yaml",
+			cfg:  "testdata/scan-configs/no-legacy-options.yaml",
 		},
 		{
 			name:    "config file with default image pull source legacy option",
-			cfg:     "test-fixtures/scan-configs/with-default-pull-source.yaml",
+			cfg:     "testdata/scan-configs/with-default-pull-source.yaml",
 			wantErr: assertErrorContains("source.image.default-pull-source"),
 		},
 		{
 			name:    "config file with exclude-binary-overlap-by-ownership legacy option",
-			cfg:     "test-fixtures/scan-configs/with-exclude-binary-overlap-by-ownership.yaml",
+			cfg:     "testdata/scan-configs/with-exclude-binary-overlap-by-ownership.yaml",
 			wantErr: assertErrorContains("package.exclude-binary-overlap-by-ownership"),
 		},
 		{
 			name:    "config file with file string legacy option",
-			cfg:     "test-fixtures/scan-configs/with-file-string.yaml",
+			cfg:     "testdata/scan-configs/with-file-string.yaml",
 			wantErr: assertErrorContains("outputs"),
 		},
 		{
 			name: "config file with file section",
-			cfg:  "test-fixtures/scan-configs/with-file-section.yaml",
+			cfg:  "testdata/scan-configs/with-file-section.yaml",
 		},
 		{
 			name:    "config file with base-path legacy option",
-			cfg:     "test-fixtures/scan-configs/with-base-path.yaml",
+			cfg:     "testdata/scan-configs/with-base-path.yaml",
 			wantErr: assertErrorContains("source.base-path"),
 		},
 	}

cmd/syft/internal/commands/update.go

@@ -107,7 +107,7 @@ func fetchLatestApplicationVersion(id clio.Identification) (*hashiVersion.Versio
 		return nil, fmt.Errorf("HTTP %d on fetching latest version: %s", resp.StatusCode, resp.Status)
 	}
 
-	versionBytes, err := io.ReadAll(resp.Body)
+	versionBytes, err := io.ReadAll(io.LimitReader(resp.Body, 500))
 	if err != nil {
 		return nil, fmt.Errorf("failed to read latest version: %w", err)
 	}

cmd/syft/internal/options/writer.go

@@ -122,7 +122,7 @@ func formatVersionOptions(nameVersionPairs []string) string {
 	for _, name := range sortedAvailableFormats {
 		s.WriteString("\n")
 
-		s.WriteString(fmt.Sprintf("   - %s", name))
+		fmt.Fprintf(&s, "   - %s", name)
 
 		if len(availableVersions[name]) > 0 {
 			s.WriteString(" @ ")

cmd/syft/internal/test/integration/catalog_packages_test.go

@@ -125,7 +125,7 @@ func TestPkgCoverageImage(t *testing.T) {
 }
 
 func TestPkgCoverageDirectory(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "test-fixtures/image-pkg-coverage")
+	sbom, _ := catalogDirectory(t, "testdata/image-pkg-coverage")
 
 	observedLanguages := strset.New()
 	definedLanguages := strset.New()
@@ -261,7 +261,7 @@ func TestPkgCoverageImage_HasEvidence(t *testing.T) {
 }
 
 func TestPkgCoverageDirectory_HasEvidence(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "test-fixtures/image-pkg-coverage")
+	sbom, _ := catalogDirectory(t, "testdata/image-pkg-coverage")
 
 	var cases []testCase
 	cases = append(cases, commonTestCases...)

cmd/syft/internal/test/integration/files_test.go

@@ -22,7 +22,7 @@ import (
 func TestFileCataloging_Default(t *testing.T) {
 	cfg := options.DefaultCatalog().ToSBOMConfig(clio.Identification{})
 	cfg = cfg.WithFilesConfig(filecataloging.DefaultConfig())
-	sbom, _ := catalogDirectoryWithConfig(t, "test-fixtures/files", cfg)
+	sbom, _ := catalogDirectoryWithConfig(t, "testdata/files", cfg)
 
 	var metadata map[file.Coordinates]file.Metadata
 
@@ -48,13 +48,13 @@ func TestFileCataloging_AllFiles(t *testing.T) {
 			SkipFilesAboveSize: 30,
 		},
 	})
-	sbom, _ := catalogDirectoryWithConfig(t, "test-fixtures/files", cfg)
+	sbom, _ := catalogDirectoryWithConfig(t, "testdata/files", cfg)
 
 	pwd, err := os.Getwd()
 	require.NoError(t, err)
 
 	testPath := func(path string) string {
-		return filepath.Join(pwd, "test-fixtures/files", path)
+		return filepath.Join(pwd, "testdata/files", path)
 	}
 
 	metadata := map[file.Coordinates]file.Metadata{

cmd/syft/internal/test/integration/node_packages_test.go

@@ -11,7 +11,7 @@ import (
 )
 
 func TestNpmPackageLockDirectory(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "test-fixtures/npm-lock")
+	sbom, _ := catalogDirectory(t, "testdata/npm-lock")
 
 	foundPackages := strset.New()
 
@@ -32,7 +32,7 @@ func TestNpmPackageLockDirectory(t *testing.T) {
 }
 
 func TestYarnPackageLockDirectory(t *testing.T) {
-	sbom, _ := catalogDirectory(t, "test-fixtures/yarn-lock")
+	sbom, _ := catalogDirectory(t, "testdata/yarn-lock")
 
 	foundPackages := strset.New()
 	// merge-objects and should-type are devDependencies in package.json and are excluded by default

cmd/syft/internal/test/integration/package_binary_elf_relationships_test.go

@@ -26,7 +26,7 @@ func TestBinaryElfRelationships(t *testing.T) {
 	}
 
 	// run the test...
-	sbom, _ := catalogFixtureImage(t, "elf-test-fixtures", source.SquashedScope)
+	sbom, _ := catalogFixtureImage(t, "elf-testdata", source.SquashedScope)
 
 	// get a mapping of package names to their IDs
 	nameToId := map[string]artifact.ID{}

cmd/syft/internal/test/integration/package_cataloger_convention_test.go

@@ -278,7 +278,7 @@ func packageCatalogerExports(t *testing.T) map[string]exportTokenSet {
 		if info.IsDir() ||
 			!strings.HasSuffix(info.Name(), ".go") ||
 			strings.HasSuffix(info.Name(), "_test.go") ||
-			strings.Contains(path, "test-fixtures") ||
+			strings.Contains(path, "testdata") ||
 			strings.Contains(path, "internal") {
 			return nil
 		}

cmd/syft/internal/test/integration/test-fixtures/elf-test-fixtures

@@ -1 +0,0 @@
-../../../../../../syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures

cmd/syft/internal/test/integration/test-fixtures/image-pkg-coverage/pkgs/java/generate-fixtures.md

@@ -1 +0,0 @@
-See the syft/cataloger/java/test-fixtures/java-builds dir to generate test fixtures and copy to here manually.

cmd/syft/internal/test/integration/testdata/.gitignore

@@ -1,5 +1,5 @@
 # we should strive to not commit blobs to the repo and strive to keep the build process of how blobs are acquired in-repo.
-# this blob is generated from syft/syft/catalogers/java/test-fixtures/java-builds , however, preserving the build process
+# this blob is generated from syft/syft/catalogers/java/testdata/java-builds , however, preserving the build process
 # twice in the repo seems redundant (even via symlink). Given that the fixture is a few kilobytes in size, the build process is already
 # captured, and integration tests should only be testing if jars can be discovered (not necessarily depth in java detection
 # functionality), committing it seems like an acceptable exception.

cmd/syft/internal/test/integration/testdata/elf-testdata

@@ -0,0 +1 @@
+../../../../../../syft/pkg/cataloger/binary/testdata/elf-testdata

cmd/syft/internal/test/integration/testdata/image-pkg-coverage/pkgs/java/generate-fixtures.md

@@ -0,0 +1 @@
+See the syft/cataloger/java/testdata/java-builds dir to generate test fixtures and copy to here manually.