feat: add support for Bun lockfile (#4625)

---------
Signed-off-by: Yoonho Hann <hnnynh125@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

.binny.yaml

@@ -1,67 +1,10 @@
 # only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
 cooldown: 7d
-
+# Most tools (binny, chronicle, cosign, golangci-lint, goreleaser, gosimports,
+# bouncer, quill, syft, task, gh) are inherited from anchore/go-make's embedded
+# .binny.yaml — see https://github.com/anchore/go-make. Only syft-specific tools
+# or version overrides should live here.
 tools:
-  ## internal tools ############################################################################
-
-  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
-  - name: binny
-    version:
-      want: v0.13.0
-    method: github-release
-    with:
-      repo: anchore/binny
-
-  # used to produce SBOMs during release
-  - name: syft
-    version:
-      want: v1.42.3
-    method: github-release
-    with:
-      repo: anchore/syft
-
-  # used to sign mac binaries at release
-  - name: quill
-    version:
-      want: v0.7.1
-    method: github-release
-    with:
-      repo: anchore/quill
-
-  # used at release to generate the changelog
-  - name: chronicle
-    version:
-      want: v0.8.0
-    method: github-release
-    with:
-      repo: anchore/chronicle
-
-  ## external tools ############################################################################
-
-  # used for linting
-  - name: golangci-lint
-    version:
-      want: v2.11.4
-    method: github-release
-    with:
-      repo: golangci/golangci-lint
-
-  # used for showing the changelog at release
-  - name: glow
-    version:
-      want: v2.1.1
-    method: github-release
-    with:
-      repo: charmbracelet/glow
-
-  # used for signing the checksums file at release
-  - name: cosign
-    version:
-      want: v3.0.5
-    method: github-release
-    with:
-      repo: sigstore/cosign
-
   # used in integration tests to verify JSON schemas
   - name: yajsv
     version:
@@ -70,58 +13,18 @@ tools:
     with:
       repo: neilpa/yajsv
 
-  # used to release all artifacts
-  - name: goreleaser
-    version:
-      want: v2.15.2
-    method: github-release
-    with:
-      repo: goreleaser/goreleaser
-
-  # used for organizing imports during static analysis
-  - name: gosimports
-    version:
-      want: v0.3.8
-    method: github-release
-    with:
-      repo: rinchsan/gosimports
-
-  # used during static analysis for license compliance
-  - name: bouncer
-    version:
-      want: v0.4.0
-    method: github-release
-    with:
-      repo: wagoodman/go-bouncer
-
-  # used for running all local and CI tasks
-  - name: task
-    version:
-      want: v3.49.1
-    method: github-release
-    with:
-      repo: go-task/task
-
-  # used for triggering a release
-  - name: gh
-    version:
-      want: v2.89.0
-    method: github-release
-    with:
-      repo: cli/cli
-
   # used to upload test fixture cache
   - name: oras
     version:
-      want: v1.3.1
+      want: v1.3.2
     method: github-release
     with:
       repo: oras-project/oras
 
-  # used to upload test fixture cache
+  # used to parse JSON/YAML annotations on the fixture cache image
   - name: yq
     version:
-      want: v4.52.5
+      want: v4.53.2
     method: github-release
     with:
       repo: mikefarah/yq

.github/actions/bootstrap/action.yaml

@@ -1,55 +1,45 @@
 name: "Bootstrap"
-description: "Bootstrap all tools and dependencies"
+description: "Bootstrap all syft tools and dependencies on top of go-make's setup action"
+
+# This action is a thin wrapper around anchore/go-make/.github/actions/setup which
+# already handles checkout, setup-go, restore-only build/mod cache, and tool cache.
+# We add the syft-specific extras here: apt packages and the test fixture cache.
+
 inputs:
   go-version:
-    description: "Go version to install"
+    description: "Go version to install (passed to go-make/setup)"
     required: true
     default: "1.26.2"
-  go-dependencies:
-    description: "Download go dependencies"
+  cache-key-prefix:
+    description: "Prefix all cache keys with this value (passed to go-make/setup)"
+    required: true
+    default: "v1"
+  cache-enabled:
+    description: "Enable build/mod and tool caching (passed to go-make/setup)"
     required: true
     default: "true"
-  cache-key-prefix:
-    description: "Prefix all cache keys with this value"
-    required: true
-    default: "53ac821810"
   download-test-fixture-cache:
     description: "Download test fixture cache from OCI and github actions"
     required: true
     default: "false"
-  tools:
-    description: "whether to install tools"
-    default: "true"
   bootstrap-apt-packages:
     description: "Space delimited list of tools to install via apt"
     default: "libxml2-utils"
+
 runs:
   using: "composite"
   steps:
-    # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-      if: inputs.go-version != ''
+    - name: Setup go + go-make tooling
+      uses: anchore/go-make/.github/actions/setup@9de27be11ed73e2f9d5406a836a492b7d8aa1225 # v0.5.0
       with:
         go-version: ${{ inputs.go-version }}
-        check-latest: true
-    - name: Restore tool cache
-      if: inputs.tools == 'true'
-      id: tool-cache
-      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
-      with:
-        path: ${{ github.workspace }}/.tool
-        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
-    - name: Install project tools
+        cache-key-prefix: ${{ inputs.cache-key-prefix }}
+        cache-enabled: ${{ inputs.cache-enabled }}
+
+    - name: Install binny-managed tools
       shell: bash
-      if: inputs.tools == 'true'
-      run: |
-        make tools
-        .tool/binny list
-        .tool/binny check
-    - name: Install go dependencies
-      if: inputs.go-dependencies == 'true'
-      shell: bash
-      run: make ci-bootstrap-go
+      run: make binny:install
+
     - name: Install apt packages
       if: inputs.bootstrap-apt-packages != ''
       shell: bash
@@ -58,12 +48,23 @@ runs:
       run: |
         IFS=' ' read -ra packages <<< "$APT_PACKAGES"
         DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}"
+
+    # ORAS cache: restore-only on non-default branches / forks
     - name: Restore ORAS cache from github actions
-      if: inputs.download-test-fixture-cache == 'true'
-      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      if: ${{ inputs.download-test-fixture-cache == 'true' && (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) || github.event.repository.fork == true) }}
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ${{ github.workspace }}/.tmp/oras-cache
         key: ${{ inputs.cache-key-prefix }}-oras-cache
+
+    # ORAS cache: restore + save on the default branch of the canonical repo only.
+    - name: Restore and save ORAS cache from github actions
+      if: ${{ inputs.download-test-fixture-cache == 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.event.repository.fork == false }}
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      with:
+        path: ${{ github.workspace }}/.tmp/oras-cache
+        key: ${{ inputs.cache-key-prefix }}-oras-cache
+
     - name: Download test fixture cache
       if: inputs.download-test-fixture-cache == 'true'
       shell: bash

.github/dependabot.yml

@@ -14,7 +14,9 @@ version: 2
 updates:
 
   - package-ecosystem: gomod
-    directory: "/"
+    directories:
+      - "/"
+      - "/.make"
     cooldown:
       default-days: 7
     schedule:

.github/scripts/ci-check.sh

@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-red=$(tput setaf 1)
-bold=$(tput bold)
-normal=$(tput sgr0)
-
-# assert we are running in CI (or die!)
-if [[ -z "$CI" ]]; then
-    echo "${bold}${red}This step should ONLY be run in CI. Exiting...${normal}"
-    exit 1
-fi

.github/scripts/coverage.py

@@ -1,36 +0,0 @@
-#!/usr/bin/env python3
-import subprocess
-import sys
-import shlex
-
-
-class bcolors:
-    HEADER = '\033[95m'
-    OKBLUE = '\033[94m'
-    OKCYAN = '\033[96m'
-    OKGREEN = '\033[92m'
-    WARNING = '\033[93m'
-    FAIL = '\033[91m'
-    ENDC = '\033[0m'
-    BOLD = '\033[1m'
-    UNDERLINE = '\033[4m'
-
-
-if len(sys.argv) < 3:
-    print("Usage: coverage.py [threshold] [go-coverage-report]")
-    sys.exit(1)
-
-
-threshold = float(sys.argv[1])
-report = sys.argv[2]
-
-
-args = shlex.split(f"go tool cover -func {report}")
-p = subprocess.run(args, capture_output=True, text=True)
-
-percent_coverage = float(p.stdout.splitlines()[-1].split()[-1].replace("%", ""))
-print(f"{bcolors.BOLD}Coverage: {percent_coverage}%{bcolors.ENDC}")
-
-if percent_coverage < threshold:
-    print(f"{bcolors.BOLD}{bcolors.FAIL}Coverage below threshold of {threshold}%{bcolors.ENDC}")
-    sys.exit(1)

.github/scripts/find_cache_paths.py

@@ -1,35 +1,45 @@
 #!/usr/bin/env python3
 from __future__ import annotations
 
-import os
 import glob
-import sys
-import json
 import hashlib
-
+import json
+import os
+import sys
 
 IGNORED_PREFIXES = []
 
 
 def find_fingerprints_and_check_dirs(base_dir):
-    all_fingerprints = set(glob.glob(os.path.join(base_dir, '**', 'test*', '**', '*.fingerprint'), recursive=True))
+    all_fingerprints = set(
+        glob.glob(
+            os.path.join(base_dir, "**", "test*", "**", "*.fingerprint"), recursive=True
+        )
+    )
 
-    all_fingerprints = {os.path.relpath(fp) for fp in all_fingerprints
-                        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)}
+    all_fingerprints = {
+        os.path.relpath(fp)
+        for fp in all_fingerprints
+        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)
+    }
 
     if not all_fingerprints:
         show("No .fingerprint files or cache directories found.")
         exit(1)
 
-    missing_content = []
+    orphan_fingerprints = []
+    empty_content = []
     valid_paths = set()
     fingerprint_contents = []
 
     for fingerprint in all_fingerprints:
-        path = fingerprint.replace('.fingerprint', '')
+        path = fingerprint.replace(".fingerprint", "")
 
         if not os.path.exists(path):
-            missing_content.append(path)
+            # paired content path is entirely missing — the .fingerprint is likely
+            # leftover from a moved/deleted source (testdata trees are git-ignored,
+            # so they persist locally across rename refactors)
+            orphan_fingerprints.append(fingerprint)
             continue
 
         if not os.path.isdir(path):
@@ -39,13 +49,13 @@ def find_fingerprints_and_check_dirs(base_dir):
         if os.listdir(path):
             valid_paths.add(path)
         else:
-            missing_content.append(path)
+            empty_content.append(path)
 
-        with open(fingerprint, 'r') as f:
+        with open(fingerprint, "r") as f:
             content = f.read().strip()
             fingerprint_contents.append((fingerprint, content))
 
-    return sorted(valid_paths), missing_content, fingerprint_contents
+    return sorted(valid_paths), empty_content, orphan_fingerprints, fingerprint_contents
 
 
 def parse_fingerprint_contents(fingerprint_content):
@@ -59,7 +69,9 @@ def parse_fingerprint_contents(fingerprint_content):
 def calculate_sha256(fingerprint_contents):
     sorted_fingerprint_contents = sorted(fingerprint_contents, key=lambda x: x[0])
 
-    concatenated_contents = ''.join(content for _, content in sorted_fingerprint_contents)
+    concatenated_contents = "".join(
+        content for _, content in sorted_fingerprint_contents
+    )
 
     sha256_hash = hashlib.sha256(concatenated_contents.encode()).hexdigest()
 
@@ -68,7 +80,7 @@ def calculate_sha256(fingerprint_contents):
 
 def calculate_file_sha256(file_path):
     sha256_hash = hashlib.sha256()
-    with open(file_path, 'rb') as f:
+    with open(file_path, "rb") as f:
         for byte_block in iter(lambda: f.read(4096), b""):
             sha256_hash.update(byte_block)
     return sha256_hash.hexdigest()
@@ -79,17 +91,28 @@ def show(*s: str):
 
 
 def main(file_path: str | None):
-    base_dir = '.'
-    valid_paths, missing_content, fingerprint_contents = find_fingerprints_and_check_dirs(base_dir)
+    base_dir = "."
+    valid_paths, empty_content, orphan_fingerprints, fingerprint_contents = (
+        find_fingerprints_and_check_dirs(base_dir)
+    )
 
-    if missing_content:
-        show("The following paths are missing or have no content, but have corresponding .fingerprint files:")
-        for path in sorted(missing_content):
+    if empty_content:
+        show(
+            "The following paths exist but are empty, and have corresponding .fingerprint files:"
+        )
+        for path in sorted(empty_content):
             show(f"- {path}")
         # when adding new cache directories there is a time where it is not possible to have this directory without
         # running the tests first... but this step is a prerequisite for running the tests. We should not block on this.
-        # show("Please ensure these paths exist and have content if they are directories.")
-        # exit(1)
+
+    if orphan_fingerprints:
+        show(
+            "The following .fingerprint files reference paths that no longer exist "
+            "(likely leftover from a moved/deleted cataloger — safe to delete, "
+            "or run `task prune-orphan-fingerprints`):"
+        )
+        for fp in sorted(orphan_fingerprints):
+            show(f"- {fp}")
 
     sha256_hash = calculate_sha256(fingerprint_contents)
 
@@ -101,30 +124,24 @@ def main(file_path: str | None):
                 file_digest = calculate_file_sha256(fingerprint_file)
 
                 # Parse the fingerprint file to get the digest/path tuples
-                with open(fingerprint_file, 'r') as f:
+                with open(fingerprint_file, "r") as f:
                     fingerprint_content = f.read().strip()
                     input_map = parse_fingerprint_contents(fingerprint_content)
 
-                paths_with_digests.append({
-                    "path": path,
-                    "digest": file_digest,
-                    "input": input_map
-                })
+                paths_with_digests.append(
+                    {"path": path, "digest": file_digest, "input": input_map}
+                )
 
         except Exception as e:
             show(f"Error processing {fingerprint_file}: {e}")
             raise e
 
-
-    output = {
-        "digest": sha256_hash,
-        "paths": paths_with_digests
-    }
+    output = {"digest": sha256_hash, "paths": paths_with_digests}
 
     content = json.dumps(output, indent=2, sort_keys=True)
 
     if file_path:
-        with open(file_path, 'w') as f:
+        with open(file_path, "w") as f:
             f.write(content)
 
     print(content)

.github/scripts/go-mod-tidy-check.sh

@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX")
-TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX")
-
-trap "cp -p ${ORIGINAL_STATE_DIR}/* ./ && git update-index -q --refresh && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
-
-# capturing original state of files...
-cp go.mod go.sum "${ORIGINAL_STATE_DIR}"
-
-# capturing state of go.mod and go.sum after running go mod tidy...
-go mod tidy
-cp go.mod go.sum "${TIDY_STATE_DIR}"
-
-set +e
-
-# detect difference between the git HEAD state and the go mod tidy state
-DIFF_MOD=$(diff -u "${ORIGINAL_STATE_DIR}/go.mod" "${TIDY_STATE_DIR}/go.mod")
-DIFF_SUM=$(diff -u "${ORIGINAL_STATE_DIR}/go.sum" "${TIDY_STATE_DIR}/go.sum")
-
-if [[ -n "${DIFF_MOD}" || -n "${DIFF_SUM}" ]]; then
-    echo "go.mod diff:"
-    echo "${DIFF_MOD}"
-    echo "go.sum diff:"
-    echo "${DIFF_SUM}"
-    echo ""
-    printf "FAILED! go.mod and/or go.sum are NOT tidy; please run 'go mod tidy'.\n\n"
-    exit 1
-fi

.github/scripts/prune_orphan_fingerprints.py

@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+"""
+Remove orphan *.fingerprint files left behind by moved/deleted catalogers.
+
+A fingerprint is considered orphaned when:
+  1. its paired content path (the fingerprint path with `.fingerprint` stripped)
+     does not exist, AND
+  2. the nearest ancestor `testdata/` directory has no `Makefile` claiming
+     responsibility for generating that path.
+
+The second condition is the safety check: if there is a Makefile, the
+fingerprint is "live" and might just be waiting for fixtures to be built —
+leave it alone. Without a Makefile, nothing in-repo will ever regenerate
+the content, so the fingerprint is dead weight that triggers spurious
+"missing path" warnings.
+
+Empty parent directories are also pruned after removing the fingerprint.
+
+Use --dry-run to preview without deleting.
+"""
+from __future__ import annotations
+
+import argparse
+import glob
+import os
+import sys
+
+
+def find_ancestor_testdata(path: str) -> str | None:
+    d = os.path.dirname(path)
+    while d and d not in (".", os.sep):
+        if os.path.basename(d) == "testdata":
+            return d
+        d = os.path.dirname(d)
+    return None
+
+
+def is_orphan(fingerprint: str) -> bool:
+    paired = fingerprint[: -len(".fingerprint")]
+    if os.path.exists(paired):
+        return False
+
+    testdata_dir = find_ancestor_testdata(fingerprint)
+    if testdata_dir and os.path.isfile(os.path.join(testdata_dir, "Makefile")):
+        # a Makefile exists that may regenerate this — not safe to prune
+        return False
+
+    return True
+
+
+def prune_empty_parents(start: str, stop_at: str = ".") -> list[str]:
+    removed = []
+    d = os.path.dirname(start)
+    stop_at = os.path.abspath(stop_at)
+    while d and os.path.abspath(d) != stop_at:
+        try:
+            if not os.listdir(d):
+                os.rmdir(d)
+                removed.append(d)
+                d = os.path.dirname(d)
+            else:
+                break
+        except OSError:
+            break
+    return removed
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument(
+        "--dry-run",
+        action="store_true",
+        help="Show what would be removed without deleting anything",
+    )
+    args = parser.parse_args()
+
+    all_fingerprints = glob.glob("**/test*/**/*.fingerprint", recursive=True)
+    orphans = sorted(fp for fp in all_fingerprints if is_orphan(fp))
+
+    if not orphans:
+        print("no orphan fingerprints found")
+        return 0
+
+    verb = "would remove" if args.dry_run else "removing"
+    print(f"{verb} {len(orphans)} orphan fingerprint(s):")
+    for fp in orphans:
+        print(f"- {fp}")
+        if args.dry_run:
+            continue
+        try:
+            os.remove(fp)
+        except OSError as e:
+            print(f"  ! failed to remove: {e}", file=sys.stderr)
+            continue
+        for d in prune_empty_parents(fp):
+            print(f"  (also removed empty dir {d})")
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/trigger-release.sh

@@ -1,57 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-bold=$(tput bold)
-normal=$(tput sgr0)
-
-GH_CLI=.tool/gh
-
-if ! [ -x "$(command -v $GH_CLI)" ]; then
-    echo "The GitHub CLI could not be found. run: make bootstrap"
-    exit 1
-fi
-
-$GH_CLI auth status
-
-# set the default repo in cases where multiple remotes are defined
-$GH_CLI repo set-default anchore/syft
-
-export GITHUB_TOKEN="${GITHUB_TOKEN-"$($GH_CLI auth token)"}"
-
-# we need all of the git state to determine the next version. Since tagging is done by
-# the release pipeline it is possible to not have all of the tags from previous releases.
-git fetch --tags
-
-# populates the CHANGELOG.md and VERSION files
-echo "${bold}Generating changelog...${normal}"
-make changelog 2> /dev/null
-
-NEXT_VERSION=$(cat VERSION)
-
-if [[ "$NEXT_VERSION" == "" ||  "${NEXT_VERSION}" == "(Unreleased)" ]]; then
-    echo "Could not determine the next version to release. Exiting..."
-    exit 1
-fi
-
-while true; do
-    read -p "${bold}Do you want to trigger a release for version '${NEXT_VERSION}'?${normal} [y/n] " yn
-    case $yn in
-        [Yy]* ) echo; break;;
-        [Nn]* ) echo; echo "Cancelling release..."; exit;;
-        * ) echo "Please answer yes or no.";;
-    esac
-done
-
-echo "${bold}Kicking off release for ${NEXT_VERSION}${normal}..."
-echo
-$GH_CLI workflow run release.yaml -f version=${NEXT_VERSION}
-
-echo
-echo "${bold}Waiting for release to start...${normal}"
-sleep 10
-
-set +e
-
-echo "${bold}Head to the release workflow to monitor the release:${normal} $($GH_CLI run list --workflow=release.yaml --limit=1 --json url --jq '.[].url')"
-id=$($GH_CLI run list --workflow=release.yaml --limit=1 --json databaseId --jq '.[].databaseId')
-$GH_CLI run watch $id --exit-status || (echo ; echo "${bold}Logs of failed step:${normal}" && GH_PAGER="" $GH_CLI run view $id --log-failed)

.github/workflows/codeql.yaml

@@ -1,6 +1,3 @@
-# CodeQL scans for security vulnerabilities and coding errors across all
-# languages in this repo. Results appear in the "Security" tab under
-# "Code scanning alerts" and are enforced by branch protection rules.
 name: "CodeQL"
 
 on:
@@ -8,74 +5,17 @@ on:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
-  # Weekly scheduled scan catches newly disclosed vulnerabilities in
-  # existing code, not just changes introduced by PRs.
   schedule:
     - cron: '38 11 * * 3'
 
+permissions: {}
+
 jobs:
   analyze:
-    name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
+    name: Analyze
+    uses: anchore/workflows/.github/workflows/codeql.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
     permissions:
-      # Required to upload SARIF results to the "Security" tab.
       security-events: write
-      # Required to fetch internal or private CodeQL packs.
       packages: read
-      # Only required for workflows in private repositories.
       actions: read
       contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # GitHub Actions workflow linting — no build needed.
-          - language: actions
-            build-mode: none
-
-          # Go uses "manual" build mode so we control exactly what gets
-          # compiled. The default "autobuild" finds the Makefile and runs
-          # the full CI pipeline (lint, test, snapshot release, etc.),
-          # which is far more work than CodeQL needs. All it requires is
-          # compiled Go source so it can build a type-resolved code graph
-          # for analysis.
-          - language: go
-            build-mode: manual
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-        with:
-          persist-credentials: false
-
-      # Pin the Go toolchain to whatever go.mod declares so CodeQL
-      # analyzes with the same version the project actually uses.
-      # Only runs for the Go matrix entry.
-      - name: Setup Go
-        if: matrix.language == 'go'
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version-file: go.mod
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-
-      # Minimal build for Go: compile all packages so CodeQL gets a full
-      # type-resolved code graph for analysis.
-      - name: Build (Go)
-        if: matrix.build-mode == 'manual'
-        shell: bash
-        run: go build ./...
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          # The category tag lets GitHub associate SARIF results with the
-          # correct language when branch protection checks for required
-          # code scanning results.
-          category: "/language:${{matrix.language}}"

.github/workflows/dependabot-automation.yaml

@@ -1,10 +0,0 @@
-name: Dependabot Automation
-on:
-  pull_request:
-
-permissions:
-  pull-requests: write
-
-jobs:
-  run:
-    uses: anchore/workflows/.github/workflows/dependabot-automation.yaml@main

.github/workflows/detect-schema-changes.yaml

@@ -1,64 +0,0 @@
-# Note: this workflow has been disabled manually in the UI and will be replaced in short order
-
-name: "Detect schema changes"
-
-on:
-  # IMPORTANT! This workflow is triggered by the `pull_request_target` event
-  # which means that forked PRs will run with access secrets from the repo
-  # it's forked from (the "target" repo).
-  #
-  # For this reason we only NEVER checkout the code from the pull request
-  # (e.g. "ref: ${{ github.event.pull_request.head.sha }}") to prevent
-  # accidentally running potentially untrusted code.
-  #
-  # By default the checkout will be:
-  #   - GITHUB_SHA: Last commit on the PR base branch
-  #   - GITHUB_REF: PR base branch
-  #
-  # ...unlike a typical PR where:
-  #   - GITHUB_SHA: Last merge commit on the GITHUB_REF branch
-  #   - GITHUB_REF: PR merge branch refs/pull/:prNumber/merge
-  pull_request_target:
-
-env:
-  # note: this is used within hashFiles() so must be within the GITHUB_WORKSPACE path (or will silently fail)
-  CI_COMMENT_FILE: .tmp/labeler-comment.txt
-  # needs to be any string to uniquely identify the comment on a PR across multiple runs
-  COMMENT_HEADER: "label-commentary"
-
-jobs:
-  label:
-    name: "Label changes"
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-    steps:
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
-        with:
-          persist-credentials: false
-          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
-          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
-
-      - run: python .github/scripts/labeler.py
-        env:
-          # note: this token has write access to the repo
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_PR_NUMBER: ${{ github.event.number }}
-
-      - name: Delete existing comment
-        if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff #v3.0.3
-        with:
-          header: ${{ env.COMMENT_HEADER }}
-          hide: true
-          hide_classify: "OUTDATED"
-
-      - name: Add comment
-        if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff #v3.0.3
-        with:
-          header: ${{ env.COMMENT_HEADER }}
-          path: ${{ env.CI_COMMENT_FILE }}

.github/workflows/oss-project-board-add.yaml

@@ -1,18 +0,0 @@
-name: Add to OSS board
-
-permissions:
-  contents: read
-
-on:
-  issues:
-    types:
-      - opened
-      - reopened
-      - transferred
-      - labeled
-
-jobs:
-  run:
-    uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main"
-    secrets:
-      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}

.github/workflows/release.yaml

@@ -1,7 +1,11 @@
 name: "Release"
 
-permissions:
-  contents: read
+permissions: {}
+
+# there should never be two releases in progress at the same time
+concurrency:
+  group: release
+  cancel-in-progress: false
 
 on:
   workflow_dispatch:
@@ -19,116 +23,30 @@ on:
           - "install-script-only"
 
 jobs:
-  quality-gate:
-    environment: release
+  version-available:
     if: ${{ github.event.inputs.phase == 'all' }}
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
-        with:
-          persist-credentials: false
+    permissions:
+      contents: read # required for fetching tags
+    uses: anchore/workflows/.github/workflows/check-version-available.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
+    with:
+      version: ${{ github.event.inputs.version }}
 
-      - name: Bootstrap environment
-        uses: ./.github/actions/bootstrap
-
-      - name: Validate Apple notarization credentials
-        run: .tool/quill submission list
-        env:
-          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
-          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
-          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
-
-      - name: Check if running on main
-        if: github.ref != 'refs/heads/main'
-        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
-        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
-        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
-        # at the time of when the OIDC token was issued on the Github Actions runner.
-        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
-
-      - name: Check if tag already exists
-        # note: this will fail if the tag already exists
-        run: |
-          [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1)
-          git tag "$VERSION"
-        env:
-          VERSION: ${{ github.event.inputs.version }}
-
-      - name: Check static analysis results
-        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
-        id: static-analysis
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
-          checkName: "Static analysis"
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - name: Check unit test results
-        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
-        id: unit
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
-          checkName: "Unit tests"
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - name: Check integration test results
-        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
-        id: integration
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
-          checkName: "Integration tests"
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - name: Check acceptance test results (linux)
-        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
-        id: acceptance-linux
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
-          checkName: "Acceptance tests (Linux)"
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - name: Check acceptance test results (mac)
-        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
-        id: acceptance-mac
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
-          checkName: "Acceptance tests (Mac)"
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - name: Check cli test results (linux)
-        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
-        id: cli-linux
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
-          checkName: "CLI tests (Linux)"
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - name: Quality gate
-        if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
-        env:
-          STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }}
-          UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }}
-          INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }}
-          ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }}
-          ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }}
-          CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }}
-        run: |
-          echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS"
-          echo "Unit Test Status: $UNIT_TEST_STATUS"
-          echo "Integration Test Status: $INTEGRATION_TEST_STATUS"
-          echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS"
-          echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS"
-          echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS"
-          false
+  check-gate:
+    if: ${{ github.event.inputs.phase == 'all' }}
+    permissions:
+      contents: read
+      checks: read # required for getting the status of specific check names
+    uses: anchore/workflows/.github/workflows/check-gate.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
+    with:
+      # these are checks that should be run on pull-request and merges to main.
+      # we do NOT want to kick off a release if these have not been verified on main.
+      # Please see the validations.yaml workflow for the names that should be used here.
+      checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]'
 
   release:
-    needs: [ quality-gate ]
+    needs: [check-gate, version-available]
     if: ${{ github.event.inputs.phase == 'all' }}
+    environment: release
     # runs-on.com: compute instances for parallel builds
     #   spot disabled: reliability for build workflows (used for releases too)
     #   goreleaser uses parallelism of 12, so we need more CPUs
@@ -136,10 +54,9 @@ jobs:
     #   tmpfs: faster io-intensive workflows
     runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
     permissions:
-      contents: write
-      packages: write
-      # required for goreleaser signs section with cosign
-      id-token: write
+      contents: write # required for creating the GitHub release and pushing the version tag
+      packages: write # required for publishing release artifacts to GitHub packages
+      id-token: write # required for keyless signing (cosign/sigstore OIDC)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
@@ -150,31 +67,24 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  #v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
         with:
           username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
           password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  #v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Tag release
-        run: |
-          git config --global user.name "anchoreci"
-          git config --global user.email "anchoreci@users.noreply.github.com"
-          git tag -a "$VERSION" -m "Release $VERSION"
-          git push origin --tags
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VERSION: ${{ github.event.inputs.version }}
-
       - name: Build & publish release artifacts
         run: make ci-release
         env:
+          # used for pushing tags
+          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
           # for mac signing and notarization...
           QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
           QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
@@ -192,30 +102,12 @@ jobs:
           file: go.mod
           artifact-name: sbom.spdx.json
 
-      - name: Notify Slack of new release
-        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
-        continue-on-error: true
-        with:
-          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
-          webhook-type: incoming-webhook
-          payload: |
-            text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
-            blocks:
-              - type: section
-                text:
-                  type: mrkdwn
-                  text: |
-                    *A new Syft release has been published* :rocket:
-                    • Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
-                    • Repo: `${{ github.repository }}`
-                    • Workflow: `${{ github.workflow }}`
-                    • Event: `${{ github.event_name }}`
-        if: ${{ success() }}
-
   release-install-script:
-    needs: [ release ]
+    needs: [release]
     if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
-    uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main"
+    permissions:
+      contents: read # required for the reusable workflow to check out the repo and publish the install script
+    uses: anchore/workflows/.github/workflows/release-install-script.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
     with:
       tag: ${{ github.event.inputs.version }}
     secrets:

.github/workflows/remove-awaiting-response-label.yaml

@@ -1,15 +0,0 @@
-name: "Manage Awaiting Response Label"
-
-on:
-  issue_comment:
-    types: [created]
-
-jobs:
-  run:
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
-    uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"
-    secrets:
-      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}

.github/workflows/validate-github-actions.yaml

@@ -10,8 +10,7 @@ on:
       - '.github/workflows/**'
       - '.github/actions/**'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   zizmor:
@@ -26,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run zizmor"
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
           # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
           advanced-security: true

.github/workflows/validations.yaml

@@ -13,8 +13,7 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   Static-Analysis:
@@ -22,9 +21,12 @@ jobs:
     name: "Static analysis"
     # runs-on.com: memory & general purpose instances for testing
     #   spot enabled: ok to interrupt non-production workloads
-    #   s3-cache: faster actions cache
     #   tmpfs: faster io-intensive workflows
-    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
+    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
+    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=tmpfs"
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
@@ -45,6 +47,8 @@ jobs:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Unit tests"
     runs-on: *test-runner
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
@@ -65,6 +69,8 @@ jobs:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Integration tests"
     runs-on: *test-runner
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
@@ -86,13 +92,13 @@ jobs:
     # runs-on.com: compute instances for parallel builds
     #   spot disabled: reliability for build workflows (used for releases too)
     #   goreleaser uses parallelism of 12, so we need more CPUs
-    #   s3-cache: faster actions cache
     #   tmpfs: faster io-intensive workflows
-    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
+    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
+    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=tmpfs"
+    permissions:
+      contents: read
     steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
-      - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0  # v2.1.0
-
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
@@ -120,10 +126,9 @@ jobs:
     name: "Acceptance tests (Linux)"
     needs: [Build-Snapshot-Artifacts]
     runs-on: *test-runner
+    permissions:
+      contents: read
     steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
-      - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0  # v2.1.0
-
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
@@ -162,9 +167,11 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     # note: macos runners aren't supported yet for runs-on managed runners.
     runs-on: macos-latest
+    permissions:
+      contents: read
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
@@ -197,10 +204,9 @@ jobs:
     name: "CLI tests (Linux)"
     needs: [Build-Snapshot-Artifacts]
     runs-on: *test-runner
+    permissions:
+      contents: read
     steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
-      - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0  # v2.1.0
-
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false

.gitignore

@@ -3,6 +3,8 @@ go.work
 go.work.sum
 .tool-versions
 .python-version
+.mise.toml
+.env
 
 # app configuration
 /.syft.yaml
@@ -20,6 +22,8 @@ bin/
 /generate
 /specs
 mise.toml
+.make/.make
+.conductor
 
 # changelog generation
 CHANGELOG.md
@@ -76,5 +80,3 @@ cosign.pub
 __pycache__/
 *.py[cod]
 *$py.class
-
-

.goreleaser.yaml

@@ -14,7 +14,7 @@ builds:
     dir: ./cmd/syft
     binary: syft
     goos: [linux]
-    goarch: [amd64, arm64, ppc64le, s390x]
+    goarch: [amd64, arm64, ppc64le, riscv64, s390x]
     mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
     ldflags: &build-ldflags |
       -w
@@ -114,6 +114,20 @@ dockers:
       - "--build-arg=VCS_REF={{.FullCommit}}"
       - "--build-arg=VCS_URL={{.GitURL}}"
 
+  - image_templates:
+      - anchore/syft:{{.Tag}}-riscv64
+      - ghcr.io/anchore/syft:{{.Tag}}-riscv64
+    goarch: riscv64
+    dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/riscv64"
+      - "--build-arg=DEBIAN_VERSION=13"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
   - image_templates:
       - anchore/syft:{{.Tag}}-s390x
       - ghcr.io/anchore/syft:{{.Tag}}-s390x
@@ -167,6 +181,20 @@ dockers:
       - "--build-arg=VCS_REF={{.FullCommit}}"
       - "--build-arg=VCS_URL={{.GitURL}}"
 
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-riscv64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-riscv64
+    goarch: riscv64
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/riscv64"
+      - "--build-arg=DEBIAN_VERSION=13"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
   - image_templates:
       - anchore/syft:{{.Tag}}-nonroot-s390x
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
@@ -220,6 +248,20 @@ dockers:
       - "--build-arg=VCS_REF={{.FullCommit}}"
       - "--build-arg=VCS_URL={{.GitURL}}"
 
+  - image_templates:
+      - anchore/syft:{{.Tag}}-debug-riscv64
+      - ghcr.io/anchore/syft:{{.Tag}}-debug-riscv64
+    goarch: riscv64
+    dockerfile: Dockerfile.debug
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/riscv64"
+      - "--build-arg=DEBIAN_VERSION=13"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
   - image_templates:
       - anchore/syft:{{.Tag}}-debug-s390x
       - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
@@ -239,6 +281,7 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-amd64
       - anchore/syft:{{.Tag}}-arm64v8
       - anchore/syft:{{.Tag}}-ppc64le
+      - anchore/syft:{{.Tag}}-riscv64
       - anchore/syft:{{.Tag}}-s390x
 
   - name_template: ghcr.io/anchore/syft:latest
@@ -246,6 +289,7 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-amd64
       - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
       - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-riscv64
       - ghcr.io/anchore/syft:{{.Tag}}-s390x
 
   - name_template: anchore/syft:{{.Tag}}
@@ -253,6 +297,7 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-amd64
       - anchore/syft:{{.Tag}}-arm64v8
       - anchore/syft:{{.Tag}}-ppc64le
+      - anchore/syft:{{.Tag}}-riscv64
       - anchore/syft:{{.Tag}}-s390x
 
   - name_template: ghcr.io/anchore/syft:{{.Tag}}
@@ -260,6 +305,7 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-amd64
       - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
       - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-riscv64
       - ghcr.io/anchore/syft:{{.Tag}}-s390x
 
   # nonroot images...
@@ -268,6 +314,7 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-nonroot-amd64
       - anchore/syft:{{.Tag}}-nonroot-arm64v8
       - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - anchore/syft:{{.Tag}}-nonroot-riscv64
       - anchore/syft:{{.Tag}}-nonroot-s390x
 
   - name_template: ghcr.io/anchore/syft:nonroot
@@ -275,6 +322,7 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-riscv64
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
 
   - name_template: anchore/syft:{{.Tag}}-nonroot
@@ -282,6 +330,7 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-nonroot-amd64
       - anchore/syft:{{.Tag}}-nonroot-arm64v8
       - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - anchore/syft:{{.Tag}}-nonroot-riscv64
       - anchore/syft:{{.Tag}}-nonroot-s390x
 
   - name_template: ghcr.io/anchore/syft:{{.Tag}}-nonroot
@@ -289,6 +338,7 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-riscv64
       - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
 
   # debug images...
@@ -297,6 +347,7 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-debug-amd64
       - anchore/syft:{{.Tag}}-debug-arm64v8
       - anchore/syft:{{.Tag}}-debug-ppc64le
+      - anchore/syft:{{.Tag}}-debug-riscv64
       - anchore/syft:{{.Tag}}-debug-s390x
 
   - name_template: ghcr.io/anchore/syft:debug
@@ -304,6 +355,7 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
       - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
       - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-debug-riscv64
       - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
 
   - name_template: anchore/syft:{{.Tag}}-debug
@@ -311,6 +363,7 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-debug-amd64
       - anchore/syft:{{.Tag}}-debug-arm64v8
       - anchore/syft:{{.Tag}}-debug-ppc64le
+      - anchore/syft:{{.Tag}}-debug-riscv64
       - anchore/syft:{{.Tag}}-debug-s390x
 
   - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug
@@ -318,6 +371,7 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
       - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8
       - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-debug-riscv64
       - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
 
 sboms:

.make/go.mod

@@ -0,0 +1,14 @@
+module github.com/anchore/syft/.make
+
+go 1.25.8
+
+require (
+	github.com/anchore/go-make v0.5.0
+	github.com/goccy/go-yaml v1.19.2
+)
+
+require (
+	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
+	golang.org/x/mod v0.36.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
+)

.make/go.sum

@@ -0,0 +1,10 @@
+github.com/anchore/go-make v0.5.0 h1:VGlwqVhzowFb+9w/gaWUIid/YXvQZReBWKcj4LaZ3dM=
+github.com/anchore/go-make v0.5.0/go.mod h1:Nc/tkwQHW1d1Vi8+0rtS/vSrH6pxieaUQXLdrctn+8g=
+github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
+github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=

.make/main.go

@@ -0,0 +1,209 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"github.com/goccy/go-yaml"
+
+	. "github.com/anchore/go-make"
+	"github.com/anchore/go-make/file"
+	"github.com/anchore/go-make/git"
+	"github.com/anchore/go-make/lang"
+	"github.com/anchore/go-make/run"
+	"github.com/anchore/go-make/tasks/golint"
+	"github.com/anchore/go-make/tasks/goreleaser"
+	"github.com/anchore/go-make/tasks/gotest"
+)
+
+// taskfileDescriptions maps Taskfile.yaml task names to their `desc:` field.
+// Loaded at package init so wrap() can use Taskfile.yaml as the single source
+// of truth for wrapped-task descriptions.
+var taskfileDescriptions = mustReadTaskfileDescriptions()
+
+func main() {
+	Makefile(
+		// shared anchore tasks
+		golint.Tasks(),
+		goreleaser.Tasks(),
+
+		// unit tests: exclude packages under any test/ directory (matches the syft
+		// Taskfile's prior `grep -v` against test paths). Coverage threshold of 62%
+		// preserves the prior coverage gate that used to live in scripts/coverage.py.
+		gotest.Tasks(
+			gotest.Name("unit"),
+			gotest.ExcludeGlob("**/test/**"),
+			gotest.CoverageThreshold(62),
+		),
+
+		// integration tests: native go-make Task. The race-detector smoke against a
+		// real image stays bundled here (RunsOn integration) so `make integration`
+		// behaves like the Taskfile version did.
+		gotest.Tasks(
+			gotest.Name("integration"),
+			gotest.IncludeGlob("./cmd/syft/internal/test/integration/..."),
+			gotest.Verbose(),
+			gotest.NoCoverage(),
+		),
+		Task{
+			Name:        "integration:race-smoke",
+			Description: "exercise the CLI with the race detector",
+			RunsOn:      lang.List("integration"),
+			Run: func() {
+				Run("go run -race cmd/syft/main.go anchore/test_images:grype-quality-dotnet-69f15d2")
+			},
+		},
+
+		// cli tests: native go-make Task. Requires SYFT_BINARY_LOCATION pointing at
+		// an *absolute* path to the snapshot binary. Intentionally does NOT depend
+		// on snapshot: in CI we download a pre-built snapshot artifact and re-running
+		// goreleaser here would both burn ~10m and clobber the downloaded binary.
+		// Locally, the failure message tells you to run `make snapshot` first.
+		Task{
+			Name:        "cli",
+			Description: "Run CLI tests",
+			RunsOn:      lang.List("test"),
+			Run: func() {
+				bin := snapshotBinPath()
+				if !file.Exists(bin) {
+					panic(fmt.Sprintf("snapshot binary not found at %s; run `make snapshot` first", bin))
+				}
+				Log("testing binary: %s", bin)
+				Run(
+					"go test -count=1 -timeout=15m -v ./test/cli",
+					run.Env("SYFT_BINARY_LOCATION", bin),
+				)
+			},
+		},
+
+		// default validation pipeline (replaces Taskfile `default`/`pr-validations`/`validations`).
+		Task{
+			Name:         "default",
+			Description:  "Run all validation tasks",
+			Dependencies: Deps("static-analysis", "test", "install-test"),
+		},
+
+		// --- everything below is implemented in Taskfile.yaml and surfaced here
+		// via wrap(). Descriptions come from Taskfile.yaml (single source of truth).
+
+		// static analysis extras
+		wrap("check-json-schema-drift").RunOn("static-analysis"),
+		wrap("check-capability-drift"),
+		wrap("check-binary-fixture-size").RunOn("static-analysis"),
+
+		// test extras
+		wrap("validate-cyclonedx-schema").RunOn("test"),
+		wrap("test-utils").RunOn("test"),
+		wrap("check-docker-cache").RunOn("test"),
+		wrap("snapshot-smoke-test"),
+
+		// update commands
+		wrap("update-format-golden-files"),
+
+		// fixture cache plumbing (heavy ORAS logic, lives in Taskfile).
+		// refresh-fixtures hooks into "unit" so `make unit` triggers the
+		// stale-cache detection + download just like `task unit` did on main
+		// (its `deps: [tmpdir, fixtures]` is what kept the fixture cache fresh).
+		wrap("fingerprints"),
+		wrap("refresh-fixtures").RunOn("unit"),
+		wrap("fixtures"),
+		wrap("build-fixtures"),
+		wrap("download-test-fixture-cache"),
+		wrap("upload-test-fixture-cache"),
+		wrap("show-test-image-cache"),
+
+		// install-script tests (delegates to test/install/Makefile)
+		wrap("install-test"),
+		wrap("install-test-cache-save"),
+		wrap("install-test-cache-load"),
+		wrap("install-test-ci-mac"),
+
+		// compare tests
+		wrap("generate-compare-file"),
+		wrap("compare-mac"),
+		wrap("compare-linux"),
+		wrap("compare-test-deb-package-install"),
+		wrap("compare-test-rpm-package-install"),
+
+		// code/data generation (umbrella + per-target; each lives in Taskfile)
+		wrap("generate"),
+		wrap("generate-json-schema"),
+		wrap("generate-license-list"),
+		wrap("generate-cpe-dictionary-index"),
+		wrap("generate-capabilities"),
+
+		// cleanup (each hooks into go-make's built-in `clean` label)
+		wrap("clean-snapshot").RunOn("clean"),
+		wrap("clean-docker-cache").RunOn("clean"),
+		wrap("clean-oras-cache").RunOn("clean"),
+		wrap("clean-cache").RunOn("clean"),
+		wrap("clean-test-observations").RunOn("clean"),
+	)
+}
+
+// wrap creates a go-make Task that delegates execution to `task <name>`. The
+// task's description is pulled from Taskfile.yaml's `desc:` field — descriptions
+// for wrapped tasks must always live in Taskfile.yaml, never here.
+func wrap(name string) Task {
+	desc, ok := taskfileDescriptions[name]
+	if !ok || desc == "" {
+		// loud-fail at startup so missing descs can't sneak through review.
+		panic(fmt.Sprintf("Taskfile.yaml task %q is missing a `desc:` field; please add one", name))
+	}
+	return Task{
+		Name:        name,
+		Description: desc,
+		Run:         func() { Run("task " + name) },
+	}
+}
+
+// mustReadTaskfileDescriptions parses Taskfile.yaml at the repo root and returns
+// a map of task name -> desc. Runs at package init time so wrap() can use it.
+func mustReadTaskfileDescriptions() map[string]string {
+	root := git.Root()
+	if root == "" {
+		return nil
+	}
+	path := filepath.Join(root, "Taskfile.yaml")
+	data, err := os.ReadFile(path) //nolint:gosec // G304: path resolved from git.Root()
+	if err != nil {
+		return nil
+	}
+	var tf struct {
+		Tasks map[string]struct {
+			Desc    string   `yaml:"desc"`
+			Aliases []string `yaml:"aliases"`
+		} `yaml:"tasks"`
+	}
+	lang.Throw(yaml.Unmarshal(data, &tf))
+	out := make(map[string]string, len(tf.Tasks))
+	for name, t := range tf.Tasks {
+		out[name] = t.Desc
+		// aliases inherit the canonical task's description so wrap() can find them.
+		for _, alias := range t.Aliases {
+			out[alias] = t.Desc
+		}
+	}
+	return out
+}
+
+// snapshotBinPath replicates the SNAPSHOT_BIN computation from the prior Taskfile:
+// <repoRoot>/snapshot/<os>-build_<os>_<arch>/syft, where arch maps amd64->amd64_v1
+// and arm64->arm64_v8.0 to match goreleaser's per-target output directory naming.
+// Returns an absolute path: the cli tests' getSyftBinaryLocation contract requires
+// SYFT_BINARY_LOCATION to be absolute because subtests run with cmd.Dir = t.TempDir().
+func snapshotBinPath() string {
+	osName := runtime.GOOS
+	var arch string
+	switch runtime.GOARCH {
+	case "amd64":
+		arch = "amd64_v1"
+	case "arm64":
+		arch = "arm64_v8.0"
+	default:
+		arch = runtime.GOARCH
+	}
+	return filepath.Join(RootDir(), "snapshot", osName+"-build_"+osName+"_"+arch, "syft")
+}

Dockerfile

@@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static-debian12:latest AS build
+ARG DEBIAN_VERSION=12
+FROM gcr.io/distroless/static-debian${DEBIAN_VERSION}:latest AS build
 
 FROM scratch
 # needed for version check HTTPS request

Dockerfile.debug

@@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static-debian12:debug-nonroot
+ARG DEBIAN_VERSION=12
+FROM gcr.io/distroless/static-debian${DEBIAN_VERSION}:debug-nonroot
 
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp

Dockerfile.nonroot

@@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static-debian12:nonroot
+ARG DEBIAN_VERSION=12
+FROM gcr.io/distroless/static-debian${DEBIAN_VERSION}:nonroot
 
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp

Makefile

@@ -1,46 +1,18 @@
-OWNER = anchore
-PROJECT = syft
+# `test` and `snapshot` have matching directory names in this repo, so make would
+# refuse to run them without an explicit .PHONY (Nothing to be done for ...).
+.PHONY: test snapshot
+test:
+	@go run -C .make . test
 
-TOOL_DIR = .tool
-BINNY = $(TOOL_DIR)/binny
-TASK = $(TOOL_DIR)/task
+snapshot:
+	@go run -C .make . snapshot
 
-.DEFAULT_GOAL := make-default
+.PHONY: *
+.DEFAULT_GOAL: make-default
 
-## Bootstrapping targets #################################
+make-default:
+	@go run -C .make .
 
-# note: we need to assume that binny and task have not already been installed
-$(BINNY):
-	@mkdir -p $(TOOL_DIR)
-	@curl -sSfL https://get.anchore.io/binny | sh -s -- -b $(TOOL_DIR)
-
-# note: we need to assume that binny and task have not already been installed
-.PHONY: task
-$(TASK) task: $(BINNY)
-	@$(BINNY) install task -q
-
-.PHONY: ci-bootstrap-go
-ci-bootstrap-go:
-	go mod download
-
-# this is a bootstrapping catch-all, where if the target doesn't exist, we'll ensure the tools are installed and then try again
+.DEFAULT:
 %:
-	@make --silent $(TASK)
-	@$(TASK) $@
-
-## Shim targets #################################
-
-.PHONY: make-default
-make-default: $(TASK)
-	@# run the default task in the taskfile
-	@$(TASK)
-
-# for those of us that can't seem to kick the habit of typing `make ...` lets wrap the superior `task` tool
-TASKS := $(shell bash -c "test -f $(TASK) && NO_COLOR=1 $(TASK) -l | grep '^\* ' | cut -d' ' -f2 | tr -d ':' | tr '\n' ' '" ) $(shell bash -c "test -f $(TASK) && NO_COLOR=1 $(TASK) -l | grep 'aliases:' | cut -d ':' -f 3 | tr '\n' ' ' | tr -d ','")
-
-.PHONY: $(TASKS)
-$(TASKS): $(TASK)
-	@$(TASK) $@
-
-help: $(TASK)
-	@$(TASK) -l
+	@go run -C .make . $@

Taskfile.yaml

@@ -1,6 +1,11 @@
-
 version: "3"
 
+# NOTE: most generic tasks (static-analysis, format, lint, unit, snapshot, release,
+# changelog, ci-release, etc.) are now provided natively by anchore/go-make and
+# defined in .make/main.go. This file holds the syft-specific tasks that go-make
+# wraps via `wrap("<name>")` calls — keep descriptions (`desc:`) populated so they
+# show up in `make help`.
+
 includes:
   generate:cpe-index: ./task.d/generate/cpe-index.yaml
 
@@ -25,11 +30,7 @@ vars:
   YQ: "{{ .TOOL_DIR }}/yq"
   TASK: "{{ .TOOL_DIR }}/task"
 
-  # used for changelog generation
-  CHANGELOG: CHANGELOG.md
-  NEXT_VERSION: VERSION
-
-  # used for snapshot builds
+  # used for snapshot bin discovery in compare/install tasks
   OS:
     sh: uname -s | tr '[:upper:]' '[:lower:]'
   ARCH:
@@ -42,11 +43,6 @@ vars:
   # e.g. when installing snapshot debs from a local path, ./ forces the deb to be installed in the current working directory instead of referencing a package name
   SNAPSHOT_DIR: ./snapshot
   SNAPSHOT_BIN: "{{ .PROJECT_ROOT }}/{{ .SNAPSHOT_DIR }}/{{ .OS }}-build_{{ .OS }}_{{ .ARCH }}/{{ .PROJECT }}"
-  SNAPSHOT_CMD: "{{ .TOOL_DIR }}/goreleaser release --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --skip=publish --skip=sign"
-  BUILD_CMD:    "{{ .TOOL_DIR }}/goreleaser build   --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --single-target"
-  RELEASE_CMD:  "{{ .TOOL_DIR }}/goreleaser release --clean --release-notes {{ .CHANGELOG }}"
-  VERSION:
-    sh: git describe --dirty --always --tags
 
   # used for install and acceptance testing
   COMPARE_DIR: ./test/compare
@@ -57,43 +53,10 @@ env:
 
 tasks:
 
-  ## High-level tasks #################################
-
-  default:
-    desc: Run all validation tasks
-    aliases:
-      - pr-validations
-      - validations
-    cmds:
-      - task: static-analysis
-      - task: test
-      - task: install-test
-
-  static-analysis:
-    desc: Run all static analysis tasks
-    cmds:
-      - task: check-go-mod-tidy
-      - task: check-licenses
-      - task: lint
-      - task: check-json-schema-drift
-      - task: check-binary-fixture-size
-
-  test:
-    desc: Run all levels of test
-    cmds:
-      - task: unit
-      - task: integration
-      - task: validate-cyclonedx-schema
-      - task: test-utils
-      - task: snapshot
-      - task: cli
-      - task: check-docker-cache
-
-  ## Bootstrap tasks #################################
+  ## Bootstrap (internal helpers used by other Taskfile tasks) ###############
 
   binny:
     internal: true
-    # desc: Get the binny tool
     generates:
       - "{{ .TOOL_DIR }}/binny"
     status:
@@ -102,10 +65,8 @@ tasks:
     silent: true
 
   tools:
-    desc: Install all tools needed for CI and local development
+    internal: true
     deps: [binny]
-    aliases:
-      - bootstrap
     generates:
       - ".binny.yaml"
       - "{{ .TOOL_DIR }}/*"
@@ -114,79 +75,14 @@ tasks:
     cmd: "{{ .TOOL_DIR }}/binny install -v"
     silent: true
 
-  update-tools:
-    desc: Update pinned versions of all tools to their latest available versions
-    deps: [binny]
-    generates:
-      - ".binny.yaml"
-      - "{{ .TOOL_DIR }}/*"
-    cmd: "{{ .TOOL_DIR }}/binny update -v"
-    silent: true
-
-  list-tools:
-    desc: List all tools needed for CI and local development
-    deps: [binny]
-    cmd: "{{ .TOOL_DIR }}/binny list"
-    silent: true
-
-  list-tool-updates:
-    desc: List all tools that are not up to date relative to the binny config
-    deps: [binny]
-    cmd: "{{ .TOOL_DIR }}/binny list --updates"
-    silent: true
-
   tmpdir:
+    internal: true
     silent: true
     generates:
       - "{{ .TMP_DIR }}"
     cmd: "mkdir -p {{ .TMP_DIR }}"
 
-  ## Static analysis tasks #################################
-
-  format:
-    desc: Auto-format all source code
-    deps: [tools]
-    cmds:
-      - gofmt -w -s .
-      - "{{ .TOOL_DIR }}/gosimports -local github.com/anchore -w ."
-      - go mod tidy
-
-  lint-fix:
-    desc: Auto-format all source code + run golangci lint fixers
-    deps: [tools]
-    cmds:
-      - task: format
-      - "{{ .TOOL_DIR }}/golangci-lint run --tests=false --fix"
-
-  lint:
-    desc: Run gofmt + golangci lint checks
-    vars:
-      BAD_FMT_FILES:
-        sh: gofmt -l -s .
-      BAD_FILE_NAMES:
-        sh: "find . | grep -e ':' || true"
-    deps: [tools]
-    cmds:
-      # ensure there are no go fmt differences
-      - cmd: 'test -z "{{ .BAD_FMT_FILES }}" || (echo "files with gofmt issues: [{{ .BAD_FMT_FILES }}]"; exit 1)'
-        silent: true
-      # ensure there are no files with ":" in it (a known back case in the go ecosystem)
-      - cmd: 'test -z "{{ .BAD_FILE_NAMES }}" || (echo "files with bad names: [{{ .BAD_FILE_NAMES }}]"; exit 1)'
-        silent: true
-      # run linting
-      - "{{ .TOOL_DIR }}/golangci-lint run --tests=false"
-
-
-  check-licenses:
-    # desc: Ensure transitive dependencies are compliant with the current license policy
-    deps: [tools]
-    cmd: "{{ .TOOL_DIR }}/bouncer check ./..."
-
-  check-go-mod-tidy:
-    # desc: Ensure go.mod and go.sum are up to date
-    cmds:
-      - cmd: .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!"
-        silent: true
+  ## Static analysis extras #################################################
 
   check-json-schema-drift:
     desc: Ensure there is no drift between the JSON schema and the code
@@ -203,8 +99,8 @@ tasks:
     cmds:
       - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/testdata/classifiers/snippets
 
+  ## Test extras ############################################################
 
-  ## Testing tasks #################################
   update-format-golden-files:
     desc: "Update golden (i.e. snapshot) files used by unit tests"
     cmds:
@@ -214,59 +110,32 @@ tasks:
       - go test ./syft/format/cyclonedxjson -update-cyclonedx-json
       - go test ./syft/format/syftjson -update-json
 
-  unit:
-    desc: Run unit tests
-    deps:
-      - tmpdir
-      - fixtures
-    vars:
-      TEST_PKGS:
-        sh: "go list ./... | grep -v {{ .OWNER }}/{{ .PROJECT }}/test | grep -v {{ .OWNER }}/{{ .PROJECT }}/cmd/syft/internal/test | tr '\n' ' '"
-
-      # unit test coverage threshold (in % coverage)
-      COVERAGE_THRESHOLD: 62
-    cmds:
-      - task: clean-test-observations
-      - "go test -coverprofile {{ .TMP_DIR }}/unit-coverage-details.txt {{ .TEST_PKGS }}"
-      - cmd: ".github/scripts/coverage.py {{ .COVERAGE_THRESHOLD }} {{ .TMP_DIR }}/unit-coverage-details.txt"
-        silent: true
-
-  integration:
-    desc: Run integration tests
-    cmds:
-      - "go test -v ./cmd/syft/internal/test/integration"
-      # exercise most of the CLI with the data race detector
-      # we use a larger image to ensure we're using multiple catalogers at a time
-      - "go run -race cmd/syft/main.go anchore/test_images:grype-quality-dotnet-69f15d2"
-
   validate-cyclonedx-schema:
     desc: Validate that Syft produces valid CycloneDX documents
     cmds:
       - "cd schema/cyclonedx && make"
 
-  cli:
-    desc: Run CLI tests
-    deps: [tools]
-    cmds:
-      - cmd: "echo 'testing binary: {{ .SNAPSHOT_BIN }}'"
-        silent: true
-      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
-        silent: true
-
-      - "go test -count=1 -timeout=15m -v ./test/cli"
-    env:
-      SYFT_BINARY_LOCATION: "{{ .SNAPSHOT_BIN }}"
-
   test-utils:
     desc: Run tests for pipeline utils
     cmds:
       - cmd: .github/scripts/labeler_test.py
 
+  snapshot-smoke-test:
+    desc: Run a smoke test on the snapshot builds + docker images
+    cmds:
+      - cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
+        silent: true
+      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
+        silent: true
+      - "{{ .SNAPSHOT_BIN }} version"
+      - "{{ .SNAPSHOT_BIN }} scan alpine:latest"
+      - docker run --rm anchore/syft:latest version
+      - docker run --rm anchore/syft:latest scan alpine:latest
 
-  ## Test-fixture-related targets #################################
+  ## Test-fixture-related targets ###########################################
 
   fingerprints:
-    desc: Generate fingerprints for all non-docker test fixture
+    desc: Generate fingerprints for all non-docker test fixtures
     silent: true
     # this will look for `testdata/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
     generates:
@@ -281,16 +150,10 @@ tasks:
         echo -e "${YELLOW}creating fingerprint files for non-docker fixtures...${RESET}"
         for dir in $(find . -type d -name 'testdata'); do
           if [ -f "$dir/Makefile" ]; then
-            # for debugging...
-            #echo -e "${YELLOW}• calculating fingerprints in $dir... ${RESET}"
-
             (make -C "$dir" fingerprint)
           fi
         done
 
-        # for debugging...
-        # echo -e "generated all fixture fingerprints"
-
       - .github/scripts/fingerprint_docker_fixtures.py
       - |
         # if DOWNLOAD_TEST_FIXTURE_CACHE is set to 'false', then we don't need to calculate the fingerprint for the cache
@@ -432,6 +295,7 @@ tasks:
       eval $oras_command
 
   show-test-image-cache:
+    desc: Print the on-disk + docker daemon state of the stereoscope fixture image cache
     silent: true
     cmds:
       - "echo 'Docker daemon cache:'"
@@ -452,28 +316,36 @@ tasks:
         exit 1
       fi
 
-  ## install.sh testing targets #################################
+  ## install.sh testing targets #############################################
 
   install-test:
+    desc: Run install.sh test suite (delegates to test/install/Makefile)
     cmds:
       - "cd test/install && make"
 
   install-test-cache-save:
+    desc: Save the install.sh test image cache (delegates to test/install/Makefile)
     cmds:
       - "cd test/install && make save"
 
   install-test-cache-load:
+    desc: Load the install.sh test image cache (delegates to test/install/Makefile)
     cmds:
       - "cd test/install && make load"
 
   install-test-ci-mac:
+    desc: Run install.sh CI test suite on macOS (delegates to test/install/Makefile)
     cmds:
       - "cd test/install && make ci-test-mac"
 
+  ## Compare-test targets ###################################################
+
   generate-compare-file:
+    desc: Generate the acceptance comparison reference JSON for the current compare image
     cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/testdata/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
 
   compare-mac:
+    desc: Run macOS install + acceptance comparison against the snapshot build
     deps: [tmpdir]
     cmd: |
       {{ .COMPARE_DIR }}/mac.sh \
@@ -483,11 +355,13 @@ tasks:
         {{ .TMP_DIR }}
 
   compare-linux:
+    desc: Run Linux install + acceptance comparison (deb + rpm) against the snapshot build
     cmds:
       - task: compare-test-deb-package-install
       - task: compare-test-rpm-package-install
 
   compare-test-deb-package-install:
+    desc: Run Linux .deb install + acceptance comparison against the snapshot build
     deps: [tmpdir]
     cmd: |
       {{ .COMPARE_DIR }}/deb.sh \
@@ -497,6 +371,7 @@ tasks:
         {{ .TMP_DIR }}
 
   compare-test-rpm-package-install:
+    desc: Run Linux .rpm install + acceptance comparison against the snapshot build
     deps: [tmpdir]
     cmd: |
       {{ .COMPARE_DIR }}/rpm.sh \
@@ -506,7 +381,7 @@ tasks:
         {{ .TMP_DIR }}
 
 
-  ## Code and data generation targets #################################
+  ## Code and data generation targets ######################################
 
   generate:
     desc: Add data generation tasks
@@ -556,104 +431,7 @@ tasks:
       - "SYFT_ENABLE_COMPLETENESS_TESTS=true go test -p 1 ./internal/capabilities/... -count=1"
 
 
-  ## Build-related targets #################################
-
-  build:
-    desc: Build the project
-    deps: [tools, tmpdir]
-    generates:
-      - "{{ .PROJECT }}"
-    cmds:
-      - silent: true
-        cmd: |
-          echo "dist: {{ .SNAPSHOT_DIR }}" > {{ .TMP_DIR }}/goreleaser.yaml
-          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
-
-      - "{{ .BUILD_CMD }}"
-
-  snapshot:
-    desc: Create a snapshot release
-    aliases:
-      - build
-    deps: [tools, tmpdir]
-    sources:
-      - cmd/**/*.go
-      - syft/**/*.go
-      - internal/**/*.go
-    method: checksum
-    generates:
-      - "{{ .SNAPSHOT_BIN }}"
-    cmds:
-      - silent: true
-        cmd: |
-          echo "dist: {{ .SNAPSHOT_DIR }}" > {{ .TMP_DIR }}/goreleaser.yaml
-          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
-
-      - "{{ .SNAPSHOT_CMD }}"
-
-  snapshot-smoke-test:
-    desc: Run a smoke test on the snapshot builds + docker images
-    cmds:
-      - cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
-        silent: true
-      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
-        silent: true
-      - "{{ .SNAPSHOT_BIN }} version"
-      - "{{ .SNAPSHOT_BIN }} scan alpine:latest"
-      - docker run --rm anchore/syft:latest version
-      - docker run --rm anchore/syft:latest scan alpine:latest
-
-  changelog:
-    desc: Generate a changelog
-    deps: [tools]
-    generates:
-      - "{{ .CHANGELOG }}"
-      - "{{ .NEXT_VERSION }}"
-    cmds:
-      - "{{ .TOOL_DIR }}/chronicle -vv -n --version-file {{ .NEXT_VERSION }} > {{ .CHANGELOG }}"
-      - "{{ .TOOL_DIR }}/glow -w 0 {{ .CHANGELOG }}"
-
-
-  ## Release targets #################################
-
-  release:
-    desc: Create a release
-    interactive: true
-    deps: [tools]
-    cmds:
-      - cmd: .github/scripts/trigger-release.sh
-        silent: true
-
-
-  ## CI-only targets #################################
-
-  ci-check:
-    # desc: "[CI only] Are you in CI?"
-    cmds:
-      - cmd: .github/scripts/ci-check.sh
-        silent: true
-
-  ci-release:
-    # desc: "[CI only] Create a release"
-    deps: [tools]
-    cmds:
-      - task: ci-check
-      - "{{ .TOOL_DIR }}/chronicle -vvv > CHANGELOG.md"
-      - cmd: "cat CHANGELOG.md"
-        silent: true
-      - "{{ .RELEASE_CMD }}"
-
-
-  ## Cleanup targets #################################
-
-  clean:
-    desc: Remove all cache files and old builds
-    cmds:
-      - task: clean-snapshot
-      - task: clean-cache
-      - task: clean-test-observations
-      - task: clean-docker-cache
-      - task: clean-oras-cache
+  ## Cleanup targets ########################################################
 
   clean-snapshot:
     desc: Remove any snapshot builds
@@ -675,6 +453,7 @@ tasks:
     desc: Remove all image docker tar cache, images from the docker daemon, and ephemeral test fixtures
     cmds:
       - task: clean-docker-cache
+      - task: prune-orphan-fingerprints
       - |
         BOLD='\033[1m'
         YELLOW='\033[0;33m'
@@ -690,6 +469,12 @@ tasks:
         echo -e "${BOLD}Deleted all ephemeral test fixtures${RESET}"
       - rm -f {{ .LAST_CACHE_PULL_FILE }} {{ .CACHE_PATHS_FILE }}
 
+  prune-orphan-fingerprints:
+    desc: Remove *.fingerprint files left behind by moved/deleted catalogers
+    silent: true
+    cmds:
+      - .github/scripts/prune_orphan_fingerprints.py
+
   clean-test-observations:
     desc: Remove all test observations (i.e. testdata/test-observations.json)
     cmds:

go.mod

@@ -1,14 +1,15 @@
 module github.com/anchore/syft
 
-go 1.25.8
+go 1.26.3
 
 require (
 	github.com/BurntSushi/toml v1.6.0
-	github.com/CycloneDX/cyclonedx-go v0.10.0
-	github.com/Masterminds/semver/v3 v3.4.0
+	github.com/CycloneDX/cyclonedx-go v0.11.0
+	github.com/Masterminds/semver/v3 v3.5.0
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/OneOfOne/xxhash v1.2.8
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
+	github.com/acobaugh/osrelease v0.1.0
 	github.com/adrg/xdg v0.5.3
 	github.com/anchore/bubbly v0.2.0
 	github.com/anchore/clio v0.1.0
@@ -21,42 +22,47 @@ require (
 	github.com/anchore/go-sync v0.1.0
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
 	github.com/anchore/packageurl-go v0.2.0
-	github.com/anchore/stereoscope v0.1.23
+	github.com/anchore/stereoscope v0.2.1
+	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/bmatcuk/doublestar/v4 v4.10.0
+	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/charmbracelet/bubbles v1.0.0
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/dave/jennifer v1.7.1
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
-	github.com/diskfs/go-diskfs v1.7.0
+	github.com/diskfs/go-diskfs v1.9.3
 	github.com/distribution/reference v0.6.0
 	github.com/dustin/go-humanize v1.0.1
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5
-	github.com/github/go-spdx/v2 v2.4.0
-	github.com/gkampitakis/go-snaps v0.5.21
-	github.com/go-git/go-billy/v5 v5.8.0
-	github.com/go-git/go-git/v5 v5.18.0
+	github.com/github/go-spdx/v2 v2.7.0
+	github.com/gkampitakis/go-snaps v0.5.22
+	github.com/go-git/go-billy/v5 v5.9.0
+	github.com/go-git/go-git/v5 v5.19.1
 	github.com/go-test/deep v1.1.1
 	github.com/go-viper/mapstructure/v2 v2.5.0
+	github.com/goccy/go-yaml v1.19.2
 	github.com/gohugoio/hashstructure v0.6.0
 	github.com/google/go-cmp v0.7.0
-	github.com/google/go-containerregistry v0.21.5
+	github.com/google/go-containerregistry v0.21.6
 	github.com/google/licensecheck v0.3.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/color v1.6.0
+	github.com/gookit/color v1.6.1
+	github.com/gpustack/gguf-parser-go v0.24.1
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-getter v1.8.6
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/hcl/v2 v2.24.0
 	github.com/iancoleman/strcase v0.3.0
-	github.com/invopop/jsonschema v0.13.0
-	github.com/jedib0t/go-pretty/v6 v6.7.8
+	github.com/invopop/jsonschema v0.14.0
+	github.com/jedib0t/go-pretty/v6 v6.7.10
 	github.com/jinzhu/copier v0.4.0
 	github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953
+	github.com/klauspost/compress v1.18.6
 	github.com/magiconair/properties v1.8.10
 	github.com/mholt/archives v0.1.5
 	github.com/moby/sys/mountinfo v0.7.2
@@ -77,6 +83,7 @@ require (
 	github.com/spf13/afero v1.15.0
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
+	github.com/ulikunitz/xz v0.5.15
 	github.com/vbatts/go-mtree v0.7.0
 	github.com/vifraa/gopom v1.0.0
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651
@@ -85,201 +92,46 @@ require (
 	github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1
 	go.uber.org/goleak v1.3.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	golang.org/x/mod v0.35.0
-	golang.org/x/net v0.53.0
-	modernc.org/sqlite v1.46.2
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
+	golang.org/x/mod v0.36.0
+	golang.org/x/net v0.55.0
+	golang.org/x/time v0.15.0
+	golang.org/x/tools v0.45.0
+	gopkg.in/yaml.v3 v3.0.1
+	modernc.org/sqlite v1.51.0
 )
 
 require (
+	github.com/pb33f/ordered-map/v2 v2.3.1
+	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd
+)
+
+require (
+	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
 	cloud.google.com/go/auth v0.18.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
+	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/storage v1.61.3 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.14.0-rc.1 // indirect
+	github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29 // indirect
+	github.com/Microsoft/hcsshim v0.15.0-rc.1 // indirect
 	github.com/ProtonMail/go-crypto v1.4.0 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
-	github.com/agext/levenshtein v1.2.1 // indirect; indirectt
+	github.com/agext/levenshtein v1.2.1 // indirect
 	github.com/anchore/go-lzo v0.1.0 // indirect
 	github.com/anchore/go-struct-converter v0.1.0 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/becheran/wildmatch-go v1.0.0 // indirect
-	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/bodgit/plumbing v1.3.0 // indirect
-	github.com/bodgit/sevenzip v1.6.1 // indirect
-	github.com/bodgit/windows v1.0.1 // indirect
-	github.com/charmbracelet/colorprofile v0.4.1 // indirect
-	github.com/charmbracelet/harmonica v0.2.0 // indirect
-	github.com/charmbracelet/x/ansi v0.11.6 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
-	github.com/charmbracelet/x/term v0.2.2 // indirect
-	github.com/cloudflare/circl v1.6.3 // indirect
-	github.com/containerd/containerd/api v1.10.0 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/containerd/fifo v1.1.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.4 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
-	github.com/containerd/ttrpc v1.2.7 // indirect
-	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.6.0 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/docker/cli v29.4.0+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.9.5 // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
-	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
-	github.com/fatih/color v1.18.0 // indirect
-	github.com/felixge/fgprof v0.9.5 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
-	github.com/gkampitakis/ciinfo v0.3.2 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-restruct/restruct v1.2.0-alpha // indirect
-	github.com/goccy/go-yaml v1.19.2
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e // indirect
-	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
-	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
-	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-version v1.8.0 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
-	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.5 // indirect
-	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
-	github.com/maruel/natural v1.1.1 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-localereader v0.0.2-0.20220822084749-2491eb6c1c75 // indirect
-	github.com/mattn/go-runewidth v0.0.19 // indirect
-	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-	github.com/mikelolasagasti/xz v1.0.1 // indirect
-	github.com/minio/minlz v1.0.1 // indirect
-	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/sys/sequential v0.6.0 // indirect
-	github.com/moby/sys/signal v0.7.1 // indirect
-	github.com/moby/sys/user v0.4.0 // indirect
-	github.com/moby/sys/userns v0.1.0 // indirect
-	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
-	github.com/muesli/cancelreader v0.2.2 // indirect
-	github.com/muesli/termenv v0.16.0 // indirect
-	github.com/ncruces/go-strftime v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opencontainers/runtime-spec v1.3.0 // indirect
-	github.com/opencontainers/selinux v1.13.1 // indirect
-	github.com/pborman/indent v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pierrec/lz4/v4 v4.1.22 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pkg/profile v1.7.0 // indirect
-	github.com/pkg/xattr v0.4.9 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sagikazarmark/locafero v0.11.0 // indirect
-	github.com/sahilm/fuzzy v0.1.1 // indirect
-	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/sirupsen/logrus v1.9.4 // indirect
-	github.com/skeema/knownhosts v1.3.1 // indirect
-	github.com/sorairolake/lzip-go v0.3.8 // indirect
-	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
-	github.com/spf13/cast v1.10.0 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
-	github.com/spf13/viper v1.21.0 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/sylabs/sif/v2 v2.24.0 // indirect
-	github.com/sylabs/squashfs v1.0.6 // indirect
-	github.com/therootcompany/xz v1.0.1 // indirect
-	github.com/tidwall/gjson v1.18.0 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.1 // indirect
-	github.com/tidwall/sjson v1.2.5 // indirect
-	github.com/ulikunitz/xz v0.5.15
-	github.com/vbatts/tar-split v0.12.2 // indirect
-	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
-	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
-	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.43.0 // indirect
-	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/oauth2 v0.36.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/term v0.42.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
-	golang.org/x/time v0.15.0
-	golang.org/x/tools v0.44.0
-	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
-	google.golang.org/api v0.271.0 // indirect
-	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
-	google.golang.org/grpc v1.79.3 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/libc v1.70.0 // indirect
-	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.11.0 // indirect
-)
-
-require (
-	github.com/acobaugh/osrelease v0.1.0
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
-	github.com/cespare/xxhash/v2 v2.3.0
-	github.com/gpustack/gguf-parser-go v0.24.0
-	github.com/wk8/go-ordered-map/v2 v2.1.8
-)
-
-require (
-	cel.dev/expr v0.25.1 // indirect
-	cloud.google.com/go/monitoring v1.24.3 // indirect
-	cyphar.com/go-pathrs v0.2.1 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.32.12 // indirect
@@ -299,36 +151,179 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
+	github.com/becheran/wildmatch-go v1.0.0 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/bodgit/plumbing v1.3.0 // indirect
+	github.com/bodgit/sevenzip v1.6.1 // indirect
+	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/buger/jsonparser v1.1.2 // indirect
+	github.com/charmbracelet/colorprofile v0.4.1 // indirect
+	github.com/charmbracelet/harmonica v0.2.0 // indirect
+	github.com/charmbracelet/x/ansi v0.11.6 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/clipperhouse/displaywidth v0.10.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
-	github.com/containerd/cgroups/v3 v3.1.2 // indirect
-	github.com/containerd/containerd/v2 v2.2.2 // indirect
-	github.com/containerd/plugin v1.0.0 // indirect
+	github.com/containerd/cgroups/v3 v3.1.3 // indirect
+	github.com/containerd/containerd/api v1.11.1 // indirect
+	github.com/containerd/containerd/v2 v2.3.1 // indirect
+	github.com/containerd/continuity v0.5.0 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v1.0.0-rc.4 // indirect
+	github.com/containerd/plugin v1.1.0 // indirect
+	github.com/containerd/ttrpc v1.2.8 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/docker/cli v29.4.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.5 // indirect
+	github.com/docker/go-connections v0.7.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/felixge/fgprof v0.9.5 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
+	github.com/gkampitakis/ciinfo v0.3.4 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-restruct/restruct v1.2.0-alpha // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
+	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
 	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-version v1.8.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/henvic/httpretty v0.1.4 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/moby/moby/api v1.54.1 // indirect
-	github.com/moby/moby/client v0.4.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
+	github.com/maruel/natural v1.3.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-localereader v0.0.2-0.20220822084749-2491eb6c1c75 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mikelolasagasti/xz v1.0.1 // indirect
+	github.com/minio/minlz v1.0.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/moby/api v1.54.2 // indirect
+	github.com/moby/moby/client v0.4.1 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/signal v0.7.1 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/nwaples/rardecode/v2 v2.2.0 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
 	github.com/olekukonko/errors v1.2.0 // indirect
 	github.com/olekukonko/ll v0.1.6 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/runtime-spec v1.3.0 // indirect
+	github.com/pborman/indent v1.2.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.3.1 // indirect
+	github.com/pierrec/lz4/v4 v4.1.26 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/profile v1.7.0 // indirect
+	github.com/pkg/xattr v0.4.12 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/sahilm/fuzzy v0.1.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect
+	github.com/sorairolake/lzip-go v0.3.8 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/viper v1.21.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/sylabs/sif/v2 v2.24.0 // indirect
+	github.com/sylabs/squashfs v1.0.6 // indirect
+	github.com/therootcompany/xz v1.0.1 // indirect
+	github.com/tidwall/gjson v1.19.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/tidwall/sjson v1.2.5 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/zclconf/go-cty v1.16.3 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
-	gonum.org/v1/gonum v0.16.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.yaml.in/yaml/v4 v4.0.0-rc.2 // indirect
+	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
+	golang.org/x/crypto v0.52.0 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	gonum.org/v1/gonum v0.17.0 // indirect
+	google.golang.org/api v0.271.0 // indirect
+	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
+	google.golang.org/grpc v1.80.0 // indirect
+	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	modernc.org/libc v1.72.3 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
 )
 
 retract (

go.sum

@@ -67,8 +67,6 @@ cloud.google.com/go/storage v1.61.3 h1:VS//ZfBuPGDvakfD9xyPW1RGF1Vy3BWUoVZXgW1KM
 cloud.google.com/go/storage v1.61.3/go.mod h1:JtqK8BBB7TWv0HVGHubtUdzYYrakOQIsMLffZ2Z/HWk=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
-cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
-cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
@@ -79,13 +77,13 @@ github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=
-github.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
+github.com/CycloneDX/cyclonedx-go v0.11.0 h1:GokP8FiRC+foiuwWhSSLpSD5H4hSWtGnR3wo7apkBFI=
+github.com/CycloneDX/cyclonedx-go v0.11.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
 github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 h1:UnDZ/zFfG1JhH/DqxIZYU/1CUAlTUScoXD/LcM2Ykk8=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0/go.mod h1:IA1C1U7jO/ENqm/vhi7V9YYpBsp+IMyqNrEN94N7tVc=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0 h1:7t/qx5Ost0s0wbA/VDrByOooURhp+ikYwv20i9Y07TQ=
@@ -94,15 +92,15 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapp
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
-github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE=
+github.com/Masterminds/semver/v3 v3.5.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hcsshim v0.14.0-rc.1 h1:qAPXKwGOkVn8LlqgBN8GS0bxZ83hOJpcjxzmlQKxKsQ=
-github.com/Microsoft/hcsshim v0.14.0-rc.1/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c=
+github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29 h1:0kQAzHq8vLs7Pptv+7TxjdETLf/nIqJpIB4oC6Ba4vY=
+github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29/go.mod h1:ZWa7ssZJT30CCDGJ7fk/2SBTq9BIQrrVjrcss0UW2s0=
+github.com/Microsoft/hcsshim v0.15.0-rc.1 h1:FbbwtQmiD+BVHynGkx5S65JkLyhkEiiTP8nrpmg2SZw=
+github.com/Microsoft/hcsshim v0.15.0-rc.1/go.mod h1:HWvvUPIy9HF6LotILj1G4VyS065rcLQ6tqj6tMUdOfI=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
@@ -148,8 +146,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/packageurl-go v0.2.0 h1:CkrM4RMUwrEGAiE1OVlxaZNzWj0TuHRey7o4T/EAErk=
 github.com/anchore/packageurl-go v0.2.0/go.mod h1:2JCgOQMIsqZ7TmliXG4PnUthPJAKE3mWQbsW2XHjAOE=
-github.com/anchore/stereoscope v0.1.23 h1:q9i3CtbicTuSlcCnA+5pfoT9WDCEoSqvXDfHMH1hyWo=
-github.com/anchore/stereoscope v0.1.23/go.mod h1:JLnun49fkLkuv3ebU0ROvFl/0JiRmNmUtCzc6y4ollo=
+github.com/anchore/stereoscope v0.2.1 h1:x9c4LCPGh53tKDAQ22RqEUftEnL7tphJavSRke/aICE=
+github.com/anchore/stereoscope v0.2.1/go.mod h1:PYx3fD4lvBVsYoQ/fBdauhZ5hmkRrJgw1B73svKx7/U=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
@@ -294,14 +292,14 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
-github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8EhrHa4=
-github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
-github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o=
-github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM=
-github.com/containerd/containerd/v2 v2.2.2 h1:mjVQdtfryzT7lOqs5EYUFZm8ioPVjOpkSoG1GJPxEMY=
-github.com/containerd/containerd/v2 v2.2.2/go.mod h1:5Jhevmv6/2J+Iu/A2xXAdUIdI5Ah/hfyO7okJ4AFIdY=
-github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
-github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6dyLYXQ=
+github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
+github.com/containerd/containerd/api v1.11.1 h1:h8nfoDW9+fNsC/9TwiAHj8B1GzXKtR4eFtkhi/X5RLU=
+github.com/containerd/containerd/api v1.11.1/go.mod h1:CaQFRu+N1MtbgL6JDOJLUB1hCKESU1lD6MuTJhgtdlw=
+github.com/containerd/containerd/v2 v2.3.1 h1:4dVXBdlvotRBlaP2TmNbY/EGc06KJrMDDUqQdxX/HOk=
+github.com/containerd/containerd/v2 v2.3.1/go.mod h1:xVoxGPWZBwwph8DF2IbDhriLKdHfjdpO0b3wFP9wQ1I=
+github.com/containerd/continuity v0.5.0 h1:7a85HZpCSs+1Zps0Ee3DPSuAWY+0SJM1JNM51nlEVDg=
+github.com/containerd/continuity v0.5.0/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@@ -312,12 +310,10 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v1.0.0-rc.4 h1:M42JrUT4zfZTqtkUwkr0GzmUWbfyO5VO0Q5b3op97T4=
 github.com/containerd/platforms v1.0.0-rc.4/go.mod h1:lKlMXyLybmBedS/JJm11uDofzI8L2v0J2ZbYvNsbq1A=
-github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
-github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
-github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw=
-github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=
-github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
-github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
+github.com/containerd/plugin v1.1.0 h1:O+7lczNJVMy8rz0YNx3xGB8tTf5qY4i5abF041Ew19U=
+github.com/containerd/plugin v1.1.0/go.mod h1:qBTum+A8lJ6lO44A19Eo7y1OlcLj4OWFH1DA/vnHmcc=
+github.com/containerd/ttrpc v1.2.8 h1:xbVu6D4qF2jihdh9rDVOKqUMiFBQk6YctTdo1zk087Y=
+github.com/containerd/ttrpc v1.2.8/go.mod h1:wyZW2K79t4Hfcxl+GUvkZqRBzJlqFFvgEeeWXa42tyE=
 github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
 github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -325,8 +321,8 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
-github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/dave/jennifer v1.7.1 h1:B4jJJDHelWcDhlRQxWeo0Npa/pYKBLrirAQoTN45txo=
 github.com/dave/jennifer v1.7.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -337,18 +333,18 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
-github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
-github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
+github.com/diskfs/go-diskfs v1.9.3 h1:cLciNCeZ4QAXVxyPJDr1ZJ9N9CCG3rQlQ/z/Cs/cNDM=
+github.com/diskfs/go-diskfs v1.9.3/go.mod h1:TePJORO83Adh5pb2SqsxAwaP0fofFxKLkxctiS/9OQc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.4.0+incompatible h1:+IjXULMetlvWJiuSI0Nbor36lcJ5BTcVpUmB21KBoVM=
-github.com/docker/cli v29.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.4.3+incompatible h1:u+UliYm2J/rYrIh2FqHQg32neRG8GjbvNuwQRTzGspU=
+github.com/docker/cli v29.4.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
 github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
+github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
@@ -360,8 +356,8 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/elliotchance/phpserialize v1.4.0 h1:cAp/9+KSnEbUC8oYCE32n2n84BeW8HOY3HMDI8hG2OY=
 github.com/elliotchance/phpserialize v1.4.0/go.mod h1:gt7XX9+ETUcLXbtTKEuyrqW3lcLUAeS/AnGZ2e49TZs=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/elliotwutingfeng/asciiset v0.0.0-20260129054604-cfde2086bc57 h1:x5yxNrq8XffV/OoNUeFPM6hxHVi5OTspSTBxr/9pemg=
+github.com/elliotwutingfeng/asciiset v0.0.0-20260129054604-cfde2086bc57/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -385,6 +381,8 @@ github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg
 github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/erofs/go-erofs v0.3.0 h1:o/W5ABAA3sHYl97WL93dacKEfeDpJhdFf3c2snAti7I=
+github.com/erofs/go-erofs v0.3.0/go.mod h1:XkSeN9MHszGd4+3gcEjadJLYHCQpWzJ7/8yznzMuzJs=
 github.com/facebookincubator/flog v0.0.0-20190930132826-d2511d0ce33c/go.mod h1:QGzNH9ujQ2ZUr/CjDGZGWeDAVStrWNjHeEcjJL96Nuk=
 github.com/facebookincubator/nvdtools v0.1.5 h1:jbmDT1nd6+k+rlvKhnkgMokrCAzHoASWE5LtHbX2qFQ=
 github.com/facebookincubator/nvdtools v0.1.5/go.mod h1:Kh55SAWnjckS96TBSrXI99KrEKH4iB0OJby3N8GRJO4=
@@ -408,24 +406,24 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/github/go-spdx/v2 v2.4.0 h1:+4IwVwJJbm3rzvrQ6P1nI9BDMcy3la4RchRy5uehV/M=
-github.com/github/go-spdx/v2 v2.4.0/go.mod h1:/5rwgS0txhGtRdUZwc02bTglzg6HK3FfuEbECKlK2Sg=
-github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
-github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
-github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y=
-github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
+github.com/github/go-spdx/v2 v2.7.0 h1:GzfXx4wFdlilARxmFRXW/mgUy3A4vSqZocCMFV6XFdQ=
+github.com/github/go-spdx/v2 v2.7.0/go.mod h1:Ftc45YYG1WzpzwEPKRVm9Jv8vDqOrN4gWoCkK+bHer0=
+github.com/gkampitakis/ciinfo v0.3.4 h1:5eBSibVuSMbb/H6Elc0IIEFbkzCJi3lm94n0+U7Z0KY=
+github.com/gkampitakis/ciinfo v0.3.4/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-snaps v0.5.22 h1:xg9omphRnbDnimMCl1KqznC4krlxOGpkB0vDSfX2P7M=
+github.com/gkampitakis/go-snaps v0.5.22/go.mod h1:uy3lVzCCRRsAwYqSocyw5fY8xRLCYEfqoOJNxr8HonM=
 github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
 github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
-github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
+github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -511,8 +509,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.21.5 h1:KTJG9Pn/jC0VdZR6ctV3/jcN+q6/Iqlx0sTVz3ywZlM=
-github.com/google/go-containerregistry v0.21.5/go.mod h1:ySvMuiWg+dOsRW0Hw8GYwfMwBlNRTmpYBFJPlkco5zU=
+github.com/google/go-containerregistry v0.21.6 h1:T+yqQIlJXKrM98Om4DlW3GoWQAmhZuLMwoDOvVrtiUM=
+github.com/google/go-containerregistry v0.21.6/go.mod h1:U7MMSBIJynke2MVQrQk19NP9k/uQsGz/h0amIFSHMbo=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/licensecheck v0.3.1 h1:QoxgoDkaeC4nFrtGN1jV7IPmDCHFNIVh54e5hSt6sPs=
 github.com/google/licensecheck v0.3.1/go.mod h1:ORkR35t/JjW+emNKtfJDII0zlciG9JgbT7SmsohlHmY=
@@ -558,10 +556,10 @@ github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOID
 github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0=
 github.com/gookit/assert v0.1.1/go.mod h1:jS5bmIVQZTIwk42uXl4lyj4iaaxx32tqH16CFj0VX2E=
 github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg=
-github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA=
-github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
-github.com/gpustack/gguf-parser-go v0.24.0 h1:tdJceXYp9e5RhE9RwVYIuUpir72Jz2D68NEtDXkKCKc=
-github.com/gpustack/gguf-parser-go v0.24.0/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
+github.com/gookit/color v1.6.1 h1:KoTnDxJPRgrL0SoX0f8rCFg2zI0t4E3GZZBMo2nN8LU=
+github.com/gookit/color v1.6.1/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
+github.com/gpustack/gguf-parser-go v0.24.1 h1:nTYtL8HFK6ZhB90RKBu4oX2b3ZHpJLrMmKRfL9w9Cyc=
+github.com/gpustack/gguf-parser-go v0.24.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72 h1:vTCWu1wbdYo7PEZFem/rlr01+Un+wwVmI7wiegFdRLk=
 github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72/go.mod h1:Vn+BBgKQHVQYdVQ4NZDICE1Brb+JfaONyDHr3q07oQc=
@@ -622,12 +620,12 @@ github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
-github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
+github.com/invopop/jsonschema v0.14.0 h1:MHQqLhvpNUZfw+hM3AZDYK7jxO8FZoQeQM77g8iyZjg=
+github.com/invopop/jsonschema v0.14.0/go.mod h1:ygm6C2EaVNMBDPpaPlnOA2pFAxBnxGjFlMZABxm9n2I=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o=
-github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
+github.com/jedib0t/go-pretty/v6 v6.7.10 h1:B/2qW2Bkv2L6n14PP8o1kx75kWzHOQ3YTluWzg9icac=
+github.com/jedib0t/go-pretty/v6 v6.7.10/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@@ -646,9 +644,11 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
-github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
+github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -671,10 +671,9 @@ github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc8
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
-github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/maruel/natural v1.3.0 h1:VsmCsBmEyrR46RomtgHs5hbKADGRVtliHTyCOLFBpsg=
+github.com/maruel/natural v1.3.0/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -723,10 +722,10 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby/api v1.54.1 h1:TqVzuJkOLsgLDDwNLmYqACUuTehOHRGKiPhvH8V3Nn4=
-github.com/moby/moby/api v1.54.1/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
-github.com/moby/moby/client v0.4.0 h1:S+2XegzHQrrvTCvF6s5HFzcrywWQmuVnhOXe2kiWjIw=
-github.com/moby/moby/client v0.4.0/go.mod h1:QWPbvWchQbxBNdaLSpoKpCdf5E+WxFAgNHogCWDoa7g=
+github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
+github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
+github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
+github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
@@ -776,22 +775,22 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
-github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pb33f/ordered-map/v2 v2.3.1 h1:5319HDO0aw4DA4gzi+zv4FXU9UlSs3xGZ40wcP1nBjY=
+github.com/pb33f/ordered-map/v2 v2.3.1/go.mod h1:qxFQgd0PkVUtOMCkTapqotNgzRhMPL7VvaHKbd1HnmQ=
 github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM=
 github.com/pborman/indent v1.2.1/go.mod h1:FitS+t35kIYtB5xWTZAPhnmrxcciEEOdbyrrpz5K6Vw=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
-github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
-github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pelletier/go-toml/v2 v2.3.1 h1:MYEvvGnQjeNkRF1qUuGolNtNExTDwct51yp7olPtrEc=
+github.com/pelletier/go-toml/v2 v2.3.1/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pierrec/lz4/v4 v4.1.26 h1:GrpZw1gZttORinvzBdXPUXATeqlJjqUG/D87TKMnhjY=
+github.com/pierrec/lz4/v4 v4.1.26/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -800,8 +799,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
-github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
+github.com/pkg/xattr v0.4.12 h1:rRTkSyFNTRElv6pkA3zpjHpQ90p/OdHQC1GmGh1aTjM=
+github.com/pkg/xattr v0.4.12/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -822,8 +821,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuMRoVWSkXC4uvY=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
@@ -925,13 +924,15 @@ github.com/sylabs/sif/v2 v2.24.0 h1:1wB5uMDUQYjk8AckTySaDcP9YnpMb1LyDRr1Jt9A10w=
 github.com/sylabs/sif/v2 v2.24.0/go.mod h1:DbXWqWZ1hdLSU+K9ipdds5AmZeHWsyxCOj/oQakBa88=
 github.com/sylabs/squashfs v1.0.6 h1:PvJcDzxr+vIm2kH56mEMbaOzvGu79gK7P7IX+R7BDZI=
 github.com/sylabs/squashfs v1.0.6/go.mod h1:DlDeUawVXLWAsSRa085Eo0ZenGzAB32JdAUFaB0LZfE=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd h1:Rf9uhF1+VJ7ZHqxrG8pJ6YacmHvVCmByDmGbAWCc/gA=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slHPRKTTHT+XSHkepo=
 github.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
 github.com/therootcompany/xz v1.0.1 h1:CmOtsn1CbtmyYiusbfmhmkpAAETj0wBIH6kCYaX+xzw=
 github.com/therootcompany/xz v1.0.1/go.mod h1:3K3UH1yCKgBneZYhuQUvJ9HPD19UEXEI0BWbMn8qNMY=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
-github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.19.0 h1:xwxm7n691Uf3u5OFjzngavjGTh55KX5q/9w9xHW88JU=
+github.com/tidwall/gjson v1.19.0/go.mod h1:V37/opeE/JbLUOfH0QTXiNez2l0RUjYUhpT4szFQAfc=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
@@ -945,16 +946,12 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vbatts/go-mtree v0.7.0 h1:ytmOc3MTRidZiBi9VBCyZ2BHe4fZS47L5v7BVXDWW4E=
 github.com/vbatts/go-mtree v0.7.0/go.mod h1:EjdpFC+LZy1TXbRGNa1MKKgjQ+7ew3foMFJK8o4/TdY=
-github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
-github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/vifraa/gopom v1.0.0 h1:L9XlKbyvid8PAIK8nr0lihMApJQg/12OBvMA28BcWh0=
 github.com/vifraa/gopom v1.0.0/go.mod h1:oPa1dcrGrtlO37WPDBm5SqHAT+wTgF8An1Q71Z6Vv4o=
 github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA=
 github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20=
 github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0 h1:EHsPe0Q0ANoLOZff1dBLAyeWLTA4sbPTpGI+2zb0FnM=
 github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0/go.mod h1:g/D9uEUFp5YLyciwCpVsSOZOm56hfv4rzGJod6MlqIM=
-github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
-github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -998,10 +995,10 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
 go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 h1:0Qx7VGBacMm9ZENQ7TnNObTYI4ShC+lHI16seduaxZo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0/go.mod h1:Sje3i3MjSPKTSPvVWCaL8ugBzJwik3u4smCjUeuupqg=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
 go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
 go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3AVXy8F7pipuDXmDsrO8Lg+yQjBLjw0=
@@ -1022,6 +1019,8 @@ go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9i
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go.yaml.in/yaml/v4 v4.0.0-rc.2 h1:/FrI8D64VSr4HtGIlUtlFMGsm7H7pWTbj6vOLVZcA6s=
+go.yaml.in/yaml/v4 v4.0.0-rc.2/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 go4.org v0.0.0-20230225012048-214862532bf5 h1:nifaUDeh+rPaBCMPMQHZmvJf+QdpLFnuQPwx+LxVmtc=
 go4.org v0.0.0-20230225012048-214862532bf5/go.mod h1:F57wTi5Lrj6WLyswp5EYV1ncrEbFGHD4hhz6S1ZYeaU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1036,8 +1035,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1048,8 +1047,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1077,8 +1076,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1123,8 +1122,8 @@ golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1232,13 +1231,13 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1249,8 +1248,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1311,16 +1310,16 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1427,10 +1426,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d h1:wT2n40TBqFY6wiwazVK9/iTWbsQrgk5ZfCSVFLO9LQA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1458,8 +1457,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -1474,8 +1473,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1506,10 +1505,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
-modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
-modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -1518,18 +1517,18 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
-modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
+modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.46.2 h1:gkXQ6R0+AjxFC/fTDaeIVLbNLNrRoOK7YYVz5BKhTcE=
-modernc.org/sqlite v1.46.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
+modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

install.sh

@@ -154,6 +154,7 @@ uname_arch_check() (
     mipsle) return 0 ;;
     mips64) return 0 ;;
     mips64le) return 0 ;;
+    riscv64) return 0 ;;
     s390x) return 0 ;;
     amd64p32) return 0 ;;
   esac

internal/capabilities/generate/merge.go

@@ -490,11 +490,15 @@ func (e *EnrichmentData) EnrichWithBinaryClassifier(catalogerName string, entry
 			}
 
 			for _, o := range binaryClassifierOverrides[classifier.Class] {
+				cpeStrings := make([]string, len(o.CPEs))
+				for i, c := range o.CPEs {
+					cpeStrings[i] = c.Attributes.BindToFmtString()
+				}
 				packages = append(packages, capabilities.DetectorPackageInfo{
 					Class: o.Class,
 					Name:  o.Package,
 					PURL:  stripPURLVersion(o.PURL),
-					CPEs:  o.CPEs,
+					CPEs:  cpeStrings,
 					Type:  "BinaryPkg",
 				})
 			}

internal/capabilities/generate/overrides.go

@@ -10,7 +10,7 @@ type binaryClassifierOverride struct {
 	Class   string
 	Package string
 	PURL    string
-	CPEs    []string
+	CPEs    []cpe.CPE
 }
 
 var binaryClassifierOverrides = map[string][]binaryClassifierOverride{
@@ -96,12 +96,61 @@ var binaryClassifierOverrides = map[string][]binaryClassifierOverride{
 			CPEs:    singleCPE("cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 	},
+	"openssl-binary": {
+		{
+			Class:   "openssl-binary-aws-lc",
+			Package: "aws-lc",
+			PURL:    mustPURL("pkg:generic/aws-lc@version"),
+			CPEs:    singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+		},
+		{
+			Class:   "openssl-binary",
+			Package: "openssl",
+			PURL:    mustPURL("pkg:generic/openssl@version"),
+			CPEs:    singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+		},
+	},
+	"mysqld-binary": {
+		{
+			Class:   "mysqld-mysql-cluster-legacy-binary",
+			Package: "mysql-cluster",
+			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
+		{
+			Class:   "mysqld-mysql-cluster-binary",
+			Package: "mysql-cluster",
+			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
+		{
+			Class:   "mysqld-mysql-server-binary",
+			Package: "mysql-server",
+			PURL:    mustPURL("pkg:generic/mysql-server@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
+	},
 }
 
 func mustPURL(purl string) string {
 	return purl
 }
 
-func singleCPE(cpeString string, _ ...any) []string {
-	return []string{cpeString}
+func singleCPE(cpeString string, source ...cpe.Source) []cpe.CPE {
+	src := cpe.GeneratedSource
+	if len(source) > 0 {
+		src = source[0]
+	}
+	return []cpe.CPE{
+		cpe.Must(cpeString, src),
+	}
 }

internal/constants.go

@@ -3,12 +3,13 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.1.3"
+	JSONSchemaVersion = "16.1.4"
 
 	// Changelog
 	// 16.1.0 - reformulated the python pdm fields (added "URL" and removed the unused "path" field).
 	// 16.1.1 - correct elf package osCpe field according to the document of systemd (also add appCpe field)
 	// 16.1.2 - placeholder for 16.1.2 changelog
 	// 16.1.3 - add GGUFFileParts to GGUFFileHeader metadata
+	// 16.1.4 - add BunLockEntry metadata type for bun.lock support
 
 )

internal/file/copy.go

@@ -12,8 +12,20 @@ const perFileReadLimit = 2 * GB
 // protect against decompression bomb attacks.
 func safeCopy(writer io.Writer, reader io.Reader) error {
 	numBytes, err := io.Copy(writer, io.LimitReader(reader, perFileReadLimit))
-	if numBytes >= perFileReadLimit || errors.Is(err, io.EOF) {
+	if numBytes >= perFileReadLimit {
 		return fmt.Errorf("zip read limit hit (potential decompression bomb attack)")
 	}
+	// Propagate decompression / read errors up to the caller. io.Copy
+	// on the happy path returns (n, nil); the only way err is non-nil
+	// here is that the underlying reader surfaced a real failure
+	// ("flate: corrupt input before offset X" on a mangled ZIP entry,
+	// a network-backed reader erroring mid-stream, etc.). The previous
+	// implementation dropped that error and the caller stored a
+	// partial / empty buffer as a "successful" extract, which silently
+	// downgraded Java cataloger output and caused SBOM scanners to
+	// miss known CVEs (#4806).
+	if err != nil && !errors.Is(err, io.EOF) {
+		return fmt.Errorf("failed to read archive entry: %w", err)
+	}
 	return nil
 }

internal/file/copy_test.go

@@ -0,0 +1,64 @@
+package file
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"strings"
+	"testing"
+)
+
+// errReader returns a deterministic non-EOF error after emitting some
+// bytes, mimicking what compress/flate does when it hits a corrupt
+// stream mid-entry.
+type errReader struct {
+	data []byte
+	err  error
+	off  int
+}
+
+func (r *errReader) Read(p []byte) (int, error) {
+	if r.off >= len(r.data) {
+		return 0, r.err
+	}
+	n := copy(p, r.data[r.off:])
+	r.off += n
+	return n, nil
+}
+
+func TestSafeCopy(t *testing.T) {
+	t.Run("clean copy returns nil", func(t *testing.T) {
+		var buf bytes.Buffer
+		if err := safeCopy(&buf, strings.NewReader("hello")); err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if got := buf.String(); got != "hello" {
+			t.Fatalf("unexpected buffer contents: %q", got)
+		}
+	})
+
+	t.Run("propagates decompression error", func(t *testing.T) {
+		// #4806: safeCopy used to drop non-EOF errors, so the caller
+		// would persist a partial buffer as a successful extract and
+		// downstream catalogers silently read empty manifests.
+		sentinel := errors.New("flate: corrupt input before offset 42")
+		var buf bytes.Buffer
+		err := safeCopy(&buf, &errReader{data: []byte("partial"), err: sentinel})
+		if err == nil {
+			t.Fatalf("expected error to be returned, got nil")
+		}
+		if !errors.Is(err, sentinel) {
+			t.Fatalf("error does not wrap sentinel: %v", err)
+		}
+	})
+
+	t.Run("EOF is not treated as an error", func(t *testing.T) {
+		// The old code had a dead io.EOF branch that labelled clean
+		// reads as decompression bombs; keep the happy path clean.
+		var buf bytes.Buffer
+		err := safeCopy(&buf, io.LimitReader(strings.NewReader("abc"), 3))
+		if err != nil {
+			t.Fatalf("unexpected error on clean copy: %v", err)
+		}
+	})
+}

internal/file/squashfs.go

@@ -5,6 +5,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/diskfs/go-diskfs/filesystem"
 )
@@ -14,8 +15,7 @@ type WalkDiskDirFunc func(fsys filesystem.FileSystem, path string, d os.FileInfo
 // WalkDiskDir walks the file tree within the go-diskfs filesystem at root, calling fn for each file or directory in the tree, including root.
 // This is meant to mimic the behavior of fs.WalkDir in the standard library.
 func WalkDiskDir(fsys filesystem.FileSystem, root string, fn WalkDiskDirFunc) error {
-	infos, err := fsys.ReadDir(root)
-
+	infos, err := readDiskDir(fsys, root)
 	if err != nil {
 		return err
 	}
@@ -51,7 +51,7 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 
 	isDir := d != nil && d.IsDir()
 	if d == nil {
-		_, err := fsys.ReadDir(name)
+		_, err := readDiskDir(fsys, name)
 		if err != nil {
 			return nil
 		}
@@ -62,7 +62,7 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 		return nil
 	}
 
-	dirs, err := fsys.ReadDir(name)
+	dirs, err := readDiskDir(fsys, name)
 	if err != nil {
 		err = walkDirFn(fsys, name, d, err)
 		if err != nil {
@@ -87,3 +87,33 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 	}
 	return nil
 }
+
+// readDiskDir reads the directory entries at the given path from a go-diskfs filesystem.
+// go-diskfs returns fs.DirEntry values; these are resolved to os.FileInfo so callers have
+// access to the full file metadata (mode, size, modification time).
+func readDiskDir(fsys filesystem.FileSystem, p string) ([]os.FileInfo, error) {
+	entries, err := fsys.ReadDir(ToFSPath(p))
+	if err != nil {
+		return nil, err
+	}
+
+	infos := make([]os.FileInfo, 0, len(entries))
+	for _, entry := range entries {
+		info, err := entry.Info()
+		if err != nil {
+			return nil, err
+		}
+		infos = append(infos, info)
+	}
+	return infos, nil
+}
+
+// ToFSPath converts an absolute ("/"-rooted) path into an io/fs-valid path as required by
+// go-diskfs, where the root is "." and other paths carry no leading slash (see io/fs.ValidPath).
+func ToFSPath(p string) string {
+	p = strings.TrimPrefix(p, "/")
+	if p == "" {
+		return "."
+	}
+	return p
+}

internal/file/squashfs_test.go

@@ -43,10 +43,10 @@ func createTestFS(t *testing.T) filesystem.FileSystem {
 
 	for _, tf := range testFiles {
 		if tf.isDir {
-			err := fsys.Mkdir(tf.path)
+			err := fsys.Mkdir(ToFSPath(tf.path))
 			require.NoError(t, err)
 		} else {
-			f, err := fsys.OpenFile(tf.path, os.O_CREATE|os.O_RDWR)
+			f, err := fsys.OpenFile(ToFSPath(tf.path), os.O_CREATE|os.O_RDWR)
 			require.NoError(t, err)
 			_, err = f.Write([]byte(tf.content))
 			require.NoError(t, err)

internal/jsonschema/comments_test.go

@@ -6,9 +6,9 @@ import (
 	"testing"
 
 	"github.com/invopop/jsonschema"
+	orderedmap "github.com/pb33f/ordered-map/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	orderedmap "github.com/wk8/go-ordered-map/v2"
 )
 
 // TestCopyAliasFieldComments verifies that field comments from source types are correctly copied to alias types.

internal/packagemetadata/generated.go

@@ -11,6 +11,7 @@ func AllTypes() []any {
 		pkg.ApkDBEntry{},
 		pkg.BinarySignature{},
 		pkg.BitnamiSBOMEntry{},
+		pkg.BunLockEntry{},
 		pkg.CocoaPodfileLockEntry{},
 		pkg.ConanV1LockEntry{},
 		pkg.ConanV2LockEntry{},

internal/packagemetadata/names.go

@@ -96,6 +96,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNames(pkg.NpmPackageLockEntry{}, "javascript-npm-package-lock-entry", "NpmPackageLockJsonMetadata"),
 	jsonNames(pkg.YarnLockEntry{}, "javascript-yarn-lock-entry", "YarnLockJsonMetadata"),
 	jsonNames(pkg.PnpmLockEntry{}, "javascript-pnpm-lock-entry"),
+	jsonNames(pkg.BunLockEntry{}, "javascript-bun-lock-entry"),
 	jsonNames(pkg.PEBinary{}, "pe-binary"),
 	jsonNames(pkg.PhpComposerLockEntry{}, "php-composer-lock-entry", "PhpComposerJsonMetadata"),
 	jsonNamesWithoutLookup(pkg.PhpComposerInstalledEntry{}, "php-composer-installed-entry", "PhpComposerJsonMetadata"), // the legacy value is split into two types, where the other is preferred

internal/task/package_tasks.go

@@ -161,7 +161,7 @@ func DefaultPackageTaskFactories() Factories {
 			pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary",
 		),
 		newSimplePackageTaskFactory(binary.NewELFPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "elf-package", "elf"),
-		newSimplePackageTaskFactory(binary.NewPEPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "pe-package", "pe", "dll", "exe"),
+		newSimplePackageTaskFactory(binary.NewPEPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "pe-package", "pe", "dll", "exe", "bpl"),
 		newSimplePackageTaskFactory(githubactions.NewActionUsageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "github", "github-actions"),
 		newSimplePackageTaskFactory(githubactions.NewWorkflowUsageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "github", "github-actions"),
 		newSimplePackageTaskFactory(java.NewJvmDistributionCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "java", "jvm", "jdk", "jre"),

schema/cyclonedx/cyclonedx.json

@@ -5132,6 +5132,7 @@
                 "armv9-a",
                 "armv9-m",
                 "s390x",
+                "riscv64",
                 "ppc64",
                 "ppc64le",
                 "other",

schema/cyclonedx/cyclonedx.xsd

@@ -6471,6 +6471,7 @@ limitations under the License.
                                     <xs:enumeration value="armv9-a"/>
                                     <xs:enumeration value="armv9-m"/>
                                     <xs:enumeration value="s390x"/>
+                                    <xs:enumeration value="riscv64"/>
                                     <xs:enumeration value="ppc64"/>
                                     <xs:enumeration value="ppc64le"/>
                                     <xs:enumeration value="other"/>

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.1.3/document",
+  "$id": "anchore.io/schema/syft/json/16.1.4/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -1918,6 +1918,61 @@
       "type": "object",
       "description": "JavaVMRelease represents JVM version and build information extracted from the release file in a Java installation."
     },
+    "JavascriptBunLockEntry": {
+      "properties": {
+        "integrity": {
+          "type": "string",
+          "description": "Integrity is Subresource Integrity hash for verification (SRI format)"
+        },
+        "dependencies": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": "object",
+          "description": "Dependencies is a map of runtime dependencies and their version specifiers"
+        },
+        "optionalDependencies": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": "object",
+          "description": "OptionalDependencies is a map of optional dependencies and their version specifiers"
+        },
+        "peerDependencies": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": "object",
+          "description": "PeerDependencies is a map of peer dependencies and their version specifiers"
+        },
+        "bin": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": "object",
+          "description": "Bin is a map of binary names to the paths they are installed to"
+        },
+        "os": {
+          "type": "string",
+          "description": "OS is the operating system constraint for the package (e.g. \"darwin\")"
+        },
+        "cpu": {
+          "type": "string",
+          "description": "CPU is the CPU architecture constraint for the package (e.g. \"arm64\")"
+        }
+      },
+      "type": "object",
+      "required": [
+        "integrity",
+        "dependencies",
+        "optionalDependencies",
+        "peerDependencies",
+        "bin",
+        "os",
+        "cpu"
+      ],
+      "description": "BunLockEntry represents a single entry in the \"packages\" section of a bun.lock file"
+    },
     "JavascriptNpmPackage": {
       "properties": {
         "name": {
@@ -2657,6 +2712,9 @@
             {
               "$ref": "#/$defs/JavaJvmInstallation"
             },
+            {
+              "$ref": "#/$defs/JavascriptBunLockEntry"
+            },
             {
               "$ref": "#/$defs/JavascriptNpmPackage"
             },

syft/file/cataloger/executable/testdata/elf/Makefile

@@ -15,14 +15,18 @@ fixtures: build verify
 # requirement 2: 'fingerprint' goal to determine if the fixture input that indicates any existing cache should be busted
 fingerprint: $(FINGERPRINT_FILE)
 
-tools-check:
-	@sha256sum -c Dockerfile.sha256 || (echo "Tools Dockerfile has changed" && exit 1)
-
 # for selfrando...
 # docker buildx build --platform linux/amd64 -t $(TOOL_IMAGE) .
 
 tools:
-	@(docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 && make tools-check) || (docker build -t $(TOOL_IMAGE) . && sha256sum Dockerfile > Dockerfile.sha256)
+	@if docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 \
+	   && test -f Dockerfile.sha256 \
+	   && sha256sum --quiet -c Dockerfile.sha256 2>/dev/null; then \
+	  : ; \
+	else \
+	  docker build -t $(TOOL_IMAGE) . \
+	  && sha256sum Dockerfile > Dockerfile.sha256; \
+	fi
 
 build: tools
 	mkdir -p $(BIN)
@@ -46,4 +50,4 @@ $(FINGERPRINT_FILE):
 clean:
 	rm -rf $(BIN) Dockerfile.sha256 $(VERIFY_FILE) $(FINGERPRINT_FILE)
 
-.PHONY: tools tools-check build verify debug clean
+.PHONY: tools build verify debug clean

syft/file/cataloger/executable/testdata/shared-info/Makefile

@@ -15,11 +15,15 @@ fixtures: build
 # requirement 2: 'fingerprint' goal to determine if the fixture input that indicates any existing cache should be busted
 fingerprint: $(FINGERPRINT_FILE)
 
-tools-check:
-	@sha256sum -c Dockerfile.sha256 || (echo "Tools Dockerfile has changed" && exit 1)
-
 tools:
-	@(docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 && make tools-check) || (docker build --platform linux/amd64 -t $(TOOL_IMAGE) . && sha256sum Dockerfile > Dockerfile.sha256)
+	@if docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 \
+	   && test -f Dockerfile.sha256 \
+	   && sha256sum --quiet -c Dockerfile.sha256 2>/dev/null; then \
+	  : ; \
+	else \
+	  docker build --platform linux/amd64 -t $(TOOL_IMAGE) . \
+	  && sha256sum Dockerfile > Dockerfile.sha256; \
+	fi
 
 build: tools
 	@mkdir -p $(BIN)
@@ -38,4 +42,4 @@ $(FINGERPRINT_FILE):
 clean:
 	rm -rf $(BIN) Dockerfile.sha256 $(VERIFY_FILE) $(FINGERPRINT_FILE)
 
-.PHONY: tools tools-check build debug clean
+.PHONY: tools build debug clean

syft/format/internal/spdxutil/helpers/originator_supplier_test.go

@@ -13,6 +13,7 @@ func Test_OriginatorSupplier(t *testing.T) {
 	completionTester := packagemetadata.NewCompletionTester(t,
 		pkg.BinarySignature{},
 		pkg.BitnamiSBOMEntry{},
+		pkg.BunLockEntry{},
 		pkg.CocoaPodfileLockEntry{},
 		pkg.ConanV1LockEntry{},
 		pkg.ConanV2LockEntry{}, // the field Username might be the username of either the package originator or the supplier (unclear currently)

syft/pkg/cataloger/binary/capabilities.yaml

@@ -66,6 +66,16 @@ catalogers:
             cpes:
               - cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*
             type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/julia'
+        packages:
+          - class: julia-binary
+            name: julia
+            purl: pkg:generic/julia
+            cpes:
+              - cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*
+            type: BinaryPkg
       - method: glob
         criteria:
           - '**/helm'
@@ -242,6 +252,77 @@ catalogers:
               - cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:*
               - cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*
             type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/mysqld'
+        packages:
+          - class: mysqld-mysql-cluster-legacy-binary
+            name: mysql-server
+            purl: pkg:generic/mysql-server
+            cpes:
+              - cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
+              - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
+            type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/mysqld'
+        packages:
+          - class: mysqld-binary
+            name: ""
+            purl: pkg:/
+            cpes: []
+            type: BinaryPkg
+          - class: mysqld-mysql-cluster-legacy-binary
+            name: mysql-cluster
+            purl: pkg:generic/mysql-cluster
+            cpes:
+              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
+            type: BinaryPkg
+          - class: mysqld-mysql-cluster-binary
+            name: mysql-cluster
+            purl: pkg:generic/mysql-cluster
+            cpes:
+              - cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
+              - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
+              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
+            type: BinaryPkg
+          - class: mysqld-mysql-server-binary
+            name: mysql-server
+            purl: pkg:generic/mysql-server
+            cpes:
+              - cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
+              - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
+            type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/ndbd'
+        packages:
+          - class: ndbd-binary
+            name: mysql-cluster
+            purl: pkg:generic/mysql-cluster
+            cpes:
+              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
+            type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/ndbmtd'
+        packages:
+          - class: ndbmtd-binary
+            name: mysql-cluster
+            purl: pkg:generic/mysql-cluster
+            cpes:
+              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
+            type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/ndb_mgmd'
+        packages:
+          - class: ndb_mgmd-binary
+            name: mysql-cluster
+            purl: pkg:generic/mysql-cluster
+            cpes:
+              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
+            type: BinaryPkg
       - method: glob
         criteria:
           - '**/xtrabackup'
@@ -427,6 +508,17 @@ catalogers:
         criteria:
           - '**/openssl'
         packages:
+          - class: openssl-binary
+            name: ""
+            purl: pkg:/
+            cpes: []
+            type: BinaryPkg
+          - class: openssl-binary-aws-lc
+            name: aws-lc
+            purl: pkg:generic/aws-lc
+            cpes:
+              - cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*
+            type: BinaryPkg
           - class: openssl-binary
             name: openssl
             purl: pkg:generic/openssl
@@ -684,6 +776,16 @@ catalogers:
             cpes:
               - cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
             type: BinaryPkg
+      - method: glob
+        criteria:
+          - '**/nginx-ingress-controller'
+        packages:
+          - class: ingress-nginx-binary
+            name: nginx-ingress-controller
+            purl: pkg:generic/nginx-ingress-controller
+            cpes:
+              - cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*
+            type: BinaryPkg
       - method: glob
         criteria:
           - '**/java'
@@ -855,6 +957,7 @@ catalogers:
       function: NewPEPackageCataloger
     selectors: # AUTO-GENERATED
       - binary
+      - bpl
       - declared
       - directory
       - dll
@@ -871,6 +974,7 @@ catalogers:
           criteria: # AUTO-GENERATED
             - '**/*.dll'
             - '**/*.exe'
+            - '**/*.bpl'
         metadata_types: # AUTO-GENERATED
           - pkg.PEBinary
         package_types: # AUTO-GENERATED

syft/pkg/cataloger/binary/classifier_cataloger_test.go

@@ -36,8 +36,9 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 		// or testdata/classifiers/bin directory . Snippets are searched for first, and if not found, then existing binaries are
 		// used. If no binary or snippet is found the test will fail. If '-must-use-original-binaries' is used the only
 		// full binaries are tested (no snippets), and if no binary is found the test will be skipped.
-		logicalFixture string
-		expected       pkg.Package
+		logicalFixture   string
+		expected         pkg.Package
+		expectedPackages []pkg.Package
 	}{
 		{
 			logicalFixture: "arangodb/3.11.8/linux-amd64",
@@ -206,6 +207,96 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("mariadb-binary"),
 			},
 		},
+		{
+			// RHEL / MariaDB.org tarball builds do not embed the "-MariaDB" marker; the version is only
+			// present in the build path (e.g. mariadb-11.8.5-2-redhat-x86_64). The release suffix ("-2")
+			// must not leak into the version. Regression for anchore/grype#3452.
+			logicalFixture: "mariadb/11.8.5/linux-amd64",
+			expected: pkg.Package{
+				Name:      "mariadb",
+				Version:   "11.8.5",
+				Type:      "binary",
+				PURL:      "pkg:generic/mariadb@11.8.5",
+				Locations: locations("mariadb"),
+				Metadata:  metadata("mariadb-binary"),
+			},
+		},
+		{
+			logicalFixture: "mysqld/9.7.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "mysql-server",
+				Version:   "9.7.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/mysql-server@9.7.0",
+				Locations: locations("mysqld"),
+				Metadata:  metadata("mysqld-mysql-server-binary"),
+			},
+		},
+		{
+			logicalFixture: "mysql-cluster/9.7.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "mysql-cluster",
+				Version:   "9.7.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/mysql-cluster@9.7.0",
+				Locations: locations("mysqld"),
+				Metadata:  metadata("mysqld-mysql-cluster-binary"),
+			},
+		},
+		{
+			logicalFixture: "mysql-cluster/7.6.17/linux-amd64",
+			expectedPackages: []pkg.Package{
+				{
+					Name:      "mysql-server",
+					Version:   "5.7.33",
+					Type:      "binary",
+					PURL:      "pkg:generic/mysql-server@5.7.33",
+					Locations: locations("mysqld"),
+					Metadata:  metadata("mysqld-mysql-cluster-legacy-binary"),
+				},
+				{
+					Name:      "mysql-cluster",
+					Version:   "7.6.17",
+					Type:      "binary",
+					PURL:      "pkg:generic/mysql-cluster@7.6.17",
+					Locations: locations("mysqld"),
+					Metadata:  metadata("mysqld-mysql-cluster-legacy-binary"),
+				},
+			},
+		},
+		{
+			logicalFixture: "ndbd/9.7.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "mysql-cluster",
+				Version:   "9.7.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/mysql-cluster@9.7.0",
+				Locations: locations("ndbd"),
+				Metadata:  metadata("ndbd-binary"),
+			},
+		},
+		{
+			logicalFixture: "ndbmtd/9.7.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "mysql-cluster",
+				Version:   "9.7.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/mysql-cluster@9.7.0",
+				Locations: locations("ndbmtd"),
+				Metadata:  metadata("ndbmtd-binary"),
+			},
+		},
+		{
+			logicalFixture: "ndb_mgmd/9.7.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "mysql-cluster",
+				Version:   "9.7.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/mysql-cluster@9.7.0",
+				Locations: locations("ndb_mgmd"),
+				Metadata:  metadata("ndb_mgmd-binary"),
+			},
+		},
 		{
 			logicalFixture: "mongodb/8.0.17/linux-amd64",
 			expected: pkg.Package{
@@ -432,6 +523,39 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("haproxy-binary"),
 			},
 		},
+		{
+			logicalFixture: "helm/4.1.4/linux-s390x",
+			expected: pkg.Package{
+				Name:      "helm",
+				Version:   "4.1.4",
+				Type:      "binary",
+				PURL:      "pkg:golang/helm.sh/helm@4.1.4",
+				Locations: locations("helm"),
+				Metadata:  metadata("helm"),
+			},
+		},
+		{
+			logicalFixture: "helm/3.15.2/linux-amd64",
+			expected: pkg.Package{
+				Name:      "helm",
+				Version:   "3.15.2",
+				Type:      "binary",
+				PURL:      "pkg:golang/helm.sh/helm@3.15.2",
+				Locations: locations("helm"),
+				Metadata:  metadata("helm"),
+			},
+		},
+		{
+			logicalFixture: "helm/3.12.0/linux-s390x",
+			expected: pkg.Package{
+				Name:      "helm",
+				Version:   "3.12.0",
+				Type:      "binary",
+				PURL:      "pkg:golang/helm.sh/helm@3.12.0",
+				Locations: locations("helm"),
+				Metadata:  metadata("helm"),
+			},
+		},
 		{
 			logicalFixture: "helm/3.11.1/linux-amd64",
 			expected: pkg.Package{
@@ -443,6 +567,39 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("helm"),
 			},
 		},
+		{
+			logicalFixture: "helm/3.0.0-alpha.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "helm",
+				Version:   "3.0.0-alpha.1",
+				Type:      "binary",
+				PURL:      "pkg:golang/helm.sh/helm@3.0.0-alpha.1",
+				Locations: locations("helm"),
+				Metadata:  metadata("helm"),
+			},
+		},
+		{
+			logicalFixture: "helm/2.17.0-rc.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "helm",
+				Version:   "2.17.0-rc.1",
+				Type:      "binary",
+				PURL:      "pkg:golang/helm.sh/helm@2.17.0-rc.1",
+				Locations: locations("helm"),
+				Metadata:  metadata("helm"),
+			},
+		},
+		{
+			logicalFixture: "helm/2.0.0-beta.2/linux-amd64",
+			expected: pkg.Package{
+				Name:      "helm",
+				Version:   "2.0.0-beta.2",
+				Type:      "binary",
+				PURL:      "pkg:golang/helm.sh/helm@2.0.0-beta.2",
+				Locations: locations("helm"),
+				Metadata:  metadata("helm"),
+			},
+		},
 		{
 			logicalFixture: "helm/3.10.3/linux-amd64",
 			expected: pkg.Package{
@@ -1331,6 +1488,50 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("dart-binary"),
 			},
 		},
+		{
+			logicalFixture: "deno/1.10.3/linux-amd64",
+			expected: pkg.Package{
+				Name:      "deno",
+				Version:   "1.10.3",
+				Type:      "binary",
+				PURL:      "pkg:generic/deno@1.10.3",
+				Locations: locations("deno"),
+				Metadata:  metadata("deno-binary"),
+			},
+		},
+		{
+			logicalFixture: "deno/1.16.4/linux-amd64",
+			expected: pkg.Package{
+				Name:      "deno",
+				Version:   "1.16.4",
+				Type:      "binary",
+				PURL:      "pkg:generic/deno@1.16.4",
+				Locations: locations("deno"),
+				Metadata:  metadata("deno-binary"),
+			},
+		},
+		{
+			logicalFixture: "deno/1.28.3/linux-amd64",
+			expected: pkg.Package{
+				Name:      "deno",
+				Version:   "1.28.3",
+				Type:      "binary",
+				PURL:      "pkg:generic/deno@1.28.3",
+				Locations: locations("deno"),
+				Metadata:  metadata("deno-binary"),
+			},
+		},
+		{
+			logicalFixture: "deno/1.29.4/linux-amd64",
+			expected: pkg.Package{
+				Name:      "deno",
+				Version:   "1.29.4",
+				Type:      "binary",
+				PURL:      "pkg:generic/deno@1.29.4",
+				Locations: locations("deno"),
+				Metadata:  metadata("deno-binary"),
+			},
+		},
 		{
 			logicalFixture: "deno/1.41.0/linux-amd64",
 			expected: pkg.Package{
@@ -1485,6 +1686,17 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("openssl-binary"),
 			},
 		},
+		{
+			logicalFixture: "aws-lc/1.69.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "aws-lc",
+				Version:   "1.69.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/aws-lc@1.69.0",
+				Locations: locations("openssl"),
+				Metadata:  metadata("openssl-binary-aws-lc"),
+			},
+		},
 		{
 			logicalFixture: "openldap/2.6.10/linux-amd64",
 			expected: pkg.Package{
@@ -1754,6 +1966,25 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				},
 			},
 		},
+		{
+			// release-candidate elixir image — pre-fix the matchers stripped the
+			// "-rc.1" suffix from the elixir-library result and missed the
+			// elixir-binary entirely (#4819).
+			logicalFixture: "elixir/1.12.0-rc.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "elixir",
+				Version:   "1.12.0-rc.1",
+				Type:      "binary",
+				PURL:      "pkg:generic/elixir@1.12.0-rc.1",
+				Locations: locations("elixir", "lib/elixir/ebin/elixir.app"),
+				Metadata: pkg.BinarySignature{
+					Matches: []pkg.ClassifierMatch{
+						match("elixir-binary", "elixir"),
+						match("elixir-library", "lib/elixir/ebin/elixir.app"),
+					},
+				},
+			},
+		},
 		{
 			logicalFixture: "istio_pilot-discovery/1.29.0-alpha.0/linux-amd64",
 			expected: pkg.Package{
@@ -2227,6 +2458,205 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("envoy-binary"),
 			},
 		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.15.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.15.1",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.15.1",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.11.8/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.11.8",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.11.8",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.9.6/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.9.6",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.9.6",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.7.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.7.1",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.7.1",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.12.0-beta.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.12.0-beta.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.12.0-beta.0",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.2.0-beta.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.2.0-beta.1",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.2.0-beta.1",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/1.0.0-alpha.2/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "1.0.0-alpha.2",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@1.0.0-alpha.2",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/0.34.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "0.34.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@0.34.0",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "nginx-ingress-controller/0.33.0/linux-amd64",
+			expected: pkg.Package{
+				Name:      "nginx-ingress-controller",
+				Version:   "0.33.0",
+				Type:      "binary",
+				PURL:      "pkg:generic/nginx-ingress-controller@0.33.0",
+				Locations: locations("nginx-ingress-controller"),
+				Metadata:  metadata("ingress-nginx-binary"),
+			},
+		},
+		{
+			logicalFixture: "julia/1.13.0-alpha2/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.13.0-alpha2",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.13.0-alpha2",
+				Locations: locations("libjulia-internal.so.1.13.0"),
+				Metadata:  metadata("julia-binary"),
+			},
+		},
+		{
+			logicalFixture: "julia/1.12.6/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.12.6",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.12.6",
+				Locations: locations("libjulia-internal.so.1.12.6"),
+				Metadata:  metadata("julia-binary"),
+			},
+		},
+		{
+			logicalFixture: "julia/1.11.9/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.11.9",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.11.9",
+				Locations: locations("libjulia-internal.so.1.11.9"),
+				Metadata:  metadata("julia-binary"),
+			},
+		},
+		{
+			logicalFixture: "julia/1.10.11/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.10.11",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.10.11",
+				Locations: locations("libjulia-internal.so.1.10.11"),
+				Metadata:  metadata("julia-binary"),
+			},
+		},
+		{
+			logicalFixture: "julia/1.9.0-alpha1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.9.0-alpha1",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.9.0-alpha1",
+				Locations: locations("libjulia-internal.so.1.9"),
+				Metadata:  metadata("julia-binary"),
+			},
+		},
+		{
+			logicalFixture: "julia/1.8.5/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.8.5",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.8.5",
+				Locations: locations("libjulia-internal.so.1.8"),
+				Metadata:  metadata("julia-binary"),
+			},
+		},
+		{
+			// note: dynamic (non-snippet) test case
+			logicalFixture: "julia/1.5.4/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.5.4",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.5.4",
+				Locations: locations("julia", "libjulia.so.1.5"),
+				Metadata: pkg.BinarySignature{
+					Matches: []pkg.ClassifierMatch{
+						match("julia-binary", "julia"),
+						match("julia-binary", "libjulia.so.1.5"),
+					},
+				},
+			},
+		},
+		{
+			// note: dynamic (non-snippet) test case
+			logicalFixture: "julia/1.3.1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "julia",
+				Version:   "1.3.1",
+				Type:      "binary",
+				PURL:      "pkg:generic/julia@1.3.1",
+				Locations: locations("julia", "libjulia.so.1.3"),
+				Metadata: pkg.BinarySignature{
+					Matches: []pkg.ClassifierMatch{
+						match("julia-binary", "julia"),
+						match("julia-binary", "libjulia.so.1.3"),
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {
@@ -2248,9 +2678,16 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 			packages, _, err := c.Catalog(context.Background(), resolver)
 			require.NoError(t, err)
 
-			require.Len(t, packages, 1, "mismatched package count")
+			expected := test.expectedPackages
+			if len(expected) == 0 {
+				expected = []pkg.Package{test.expected}
+			}
 
-			assertPackagesAreEqual(t, test.expected, packages[0])
+			require.Len(t, packages, len(expected), "mismatched package count")
+
+			for i := range expected {
+				assertPackagesAreEqual(t, expected[i], packages[i])
+			}
 		})
 	}
 }

syft/pkg/cataloger/binary/classifiers.go

@@ -88,8 +88,43 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "julia-binary",
 			FileGlob: "**/libjulia-internal.so",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)__init__\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00verify`),
+			EvidenceMatcher: binutils.MatchAny(
+				// <20>1.13.0-beta3[NUL]branch
+				// [NUL]GIT_VERSION_INFO[NUL]jl_image_unpack[NUL]1.13.0-alpha2[NUL]branch
+				// [NUL]GIT_VERSION_INFO[NUL]__init__[NUL]1.12.6[NUL]branch[NUL]commit
+				// [NUL]GIT_VERSION_INFO[NUL]__init__[NUL]verify_methods[NUL]1.11.9[NUL]branch[NUL]commit
+				// [NUL][NUL]__init__[NUL]1.10.11[NUL]verify_methods[NUL]
+				m.FileContentsVersionMatcher(`\x00__init__\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00(branch|verify_methods)`),
+				m.FileContentsVersionMatcher(`(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00branch\x00`),
+				// [NUL]verify_methods[NUL]Task cannot be serialized[NUL]1.9.0-alpha1[NUL]BigInt[NUL]
+				m.FileContentsVersionMatcher(`\x00verify_methods\x00.{0,30}(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00BigInt`),
+				// unknown option `%s`[NUL]1.8.5[NUL]julia version %s
+				m.FileContentsVersionMatcher(`\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00julia version`),
+			),
+			Package: "julia",
+			PURL:    mustPURL("pkg:generic/julia@version"),
+			CPEs:    singleCPE("cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+		},
+		{
+			Class:    "julia-binary",
+			FileGlob: "**/julia",
+			EvidenceMatcher: binutils.SharedLibraryLookup(
+				// libjulia.so.1
+				// libjulia.so.0.6
+				// libjulia.so
+				`^libjulia\.so(\.[0-9])?(\.[0-9])?$`,
+				binutils.MatchAny(
+					// unknown option `%s`[NUL]1.5.4[NUL]julia version %s
+					m.FileContentsVersionMatcher(`\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00julia version`),
+					// [NUL]#kw#[NUL]1.3.1[NUL]BigInt
+					// [NUL]#kw#[NUL]0.7.0-beta2[NUL]_require_dependencies
+					m.FileContentsVersionMatcher(`\x00#kw#\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00(BigInt|_require_dependencies)`),
+					// [NUL]ObjectIdDict[NUL]0.6.4[NUL]jl_sysimg_cpu_target
+					m.FileContentsVersionMatcher(`\x00ObjectIdDict\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00jl_sysimg_cpu_target`),
+					// [NUL]require[NUL]0.4.6[NUL]core2
+					m.FileContentsVersionMatcher(`\x00require\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00core2`),
+				),
+			),
 			Package: "julia",
 			PURL:    mustPURL("pkg:generic/julia@version"),
 			CPEs:    singleCPE("cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@@ -97,8 +132,17 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "helm",
 			FileGlob: "**/helm",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00`),
+			EvidenceMatcher: binutils.MatchAny(
+				// [NUL]v1.21.2[NUL].......[NUL][NUL]v4.1.4[NUL][NUL][NUL]
+				// [NUL]v2.0.0-beta.2[NUL][NUL][NUL]
+				m.FileContentsVersionMatcher(`\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00{2,}`),
+				// [NUK]'[DLE]v3.12.0[NUL][NUL]...go1.20.3[NUL][NUL]
+				m.FileContentsVersionMatcher(`v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00+.{1,500}go[0-9]+\.[0-9]+\.[0-9]+\x00+`),
+				// [NUL]v3.11.1[NUL]<5D>[NUL]
+				m.FileContentsVersionMatcher(`\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00`),
+				// [NUL]@<40>@v3.15.2[NUL][NUL]
+				m.FileContentsVersionMatcher(`@v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00`),
+			),
 			Package: "helm",
 			PURL:    mustPURL("pkg:golang/helm.sh/helm@version"),
 			CPEs:    singleCPE("cpe:2.3:a:helm:helm:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@@ -106,13 +150,19 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "redis-binary",
 			FileGlob: "**/redis-server",
-			EvidenceMatcher: binutils.MatchAny(
-				// matches most recent versions of redis (~v7), e.g. "7.0.14buildkitsandbox-1702957741000000000"
-				m.FileContentsVersionMatcher(`[^\d](?P<version>\d+.\d+\.\d+)buildkitsandbox-\d+`),
-				// matches against older versions of redis (~v3 - v6), e.g. "4.0.11841ce7054bd9-1542359302000000000"
-				m.FileContentsVersionMatcher(`[^\d](?P<version>[0-9]+\.[0-9]+\.[0-9]+)\w{12}-\d+`),
-				// matches against older versions of redis (~v2), e.g. "Server started, Redis version 2.8.23"
-				m.FileContentsVersionMatcher(`Redis version (?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+			EvidenceMatcher: binutils.MatchAll(
+				// Negative Matchers to exclude valkey-server
+				binutils.MatchNone(
+					binutils.MatchPath("**/valkey-server"),
+				),
+				binutils.MatchAny(
+					// matches most recent versions of redis (~v7), e.g. "7.0.14buildkitsandbox-1702957741000000000"
+					m.FileContentsVersionMatcher(`[^\d](?P<version>\d+.\d+\.\d+)buildkitsandbox-\d+`),
+					// matches against older versions of redis (~v3 - v6), e.g. "4.0.11841ce7054bd9-1542359302000000000"
+					m.FileContentsVersionMatcher(`[^\d](?P<version>[0-9]+\.[0-9]+\.[0-9]+)\w{12}-\d+`),
+					// matches against older versions of redis (~v2), e.g. "Server started, Redis version 2.8.23"
+					m.FileContentsVersionMatcher(`Redis version (?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+				),
 			),
 			Package: "redis",
 			PURL:    mustPURL("pkg:generic/redis@version"),
@@ -288,6 +338,96 @@ func DefaultClassifiers() []binutils.Classifier {
 				cpe.Must("cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
+		{
+			// Legacy MySQL Cluster contains both MySQL Server and MySQL Cluster versions (Example: 5.7.33-ndb-7.5.21)
+			// This classifier identifies the MySQL Server version of the mysqld binary (5.7.33 in the example above).
+			Class:    "mysqld-mysql-cluster-legacy-binary",
+			FileGlob: "**/mysqld",
+			EvidenceMatcher: m.FileContentsVersionMatcher(
+				`cluster-gpl\x00(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?)\-ndb\-[0-9]+(\.[0-9]+)?(\.[0-9]+)?`),
+			Package: "mysql-server",
+			PURL:    mustPURL("pkg:generic/mysql-server@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
+		{
+			Class:    "mysqld-binary",
+			FileGlob: "**/mysqld",
+			EvidenceMatcher: binutils.BranchingEvidenceMatcher([]binutils.Classifier{
+				{
+					// Legacy MySQL Cluster contains both MySQL Server and MySQL Cluster versions (Example: 5.7.33-ndb-7.5.21)
+					// This classifier identifies the MySQL Cluster version of the mysqld binary (7.5.21 in the example above).
+					Class: "mysqld-mysql-cluster-legacy-binary",
+					EvidenceMatcher: m.FileContentsVersionMatcher(
+						`cluster-gpl\x00[0-9]+(\.[0-9]+)?(\.[0-9]+)?\-ndb\-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?)`),
+					Package: "mysql-cluster",
+					PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+					CPEs: []cpe.CPE{
+						cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+					},
+				},
+				{
+					// mysqld from MySQL Cluster after versioning was aligned with MySQL Server
+					Class: "mysqld-mysql-cluster-binary",
+					EvidenceMatcher: m.FileContentsVersionMatcher(
+						`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
+					Package: "mysql-cluster",
+					PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+					CPEs: []cpe.CPE{
+						cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+						cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+						cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+					},
+				},
+				{
+					// mysqld from MySQL Server
+					Class: "mysqld-mysql-server-binary",
+					EvidenceMatcher: m.FileContentsVersionMatcher(
+						`/mysql-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
+					Package: "mysql-server",
+					PURL:    mustPURL("pkg:generic/mysql-server@version"),
+					CPEs: []cpe.CPE{
+						cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+						cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+					},
+				},
+			}...),
+		},
+		{
+			Class:    "ndbd-binary",
+			FileGlob: "**/ndbd",
+			EvidenceMatcher: m.FileContentsVersionMatcher(
+				`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
+			Package: "mysql-cluster",
+			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
+		{
+			Class:    "ndbmtd-binary",
+			FileGlob: "**/ndbmtd",
+			EvidenceMatcher: m.FileContentsVersionMatcher(
+				`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
+			Package: "mysql-cluster",
+			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
+		{
+			Class:    "ndb_mgmd-binary",
+			FileGlob: "**/ndb_mgmd",
+			EvidenceMatcher: m.FileContentsVersionMatcher(
+				`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
+			Package: "mysql-cluster",
+			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
+			CPEs: []cpe.CPE{
+				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			},
+		},
 		{
 			Class:    "xtrabackup-binary",
 			FileGlob: "**/xtrabackup",
@@ -300,9 +440,17 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "mariadb-binary",
 			FileGlob: "**/{mariadb,mysql}",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
+			EvidenceMatcher: binutils.MatchAny(
 				// 10.6.15-MariaDB
-				`(?m)(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`),
+				m.FileContentsVersionMatcher(`(?m)(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`),
+				// MariaDB.org / RHEL tarball builds embed the release directory name, which does not contain the
+				// "-MariaDB" marker. The version is in the build path instead, e.g.:
+				//   mariadb-11.8.5-2-redhat-x86_64/rhel-8/bin/mariadb
+				//   mariadb-11.8.5-linux-systemd-x86_64
+				// Without this the older matcher misses the version and a later release suffix (e.g. "2") can be
+				// picked up instead, producing false-positive matches against ancient CVEs (see anchore/grype#3452).
+				m.FileContentsVersionMatcher(`(?m)(?:^|/)mariadb-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-`),
+			),
 			Package: "mariadb",
 			PURL:    mustPURL("pkg:generic/mariadb@version"),
 			CPEs:    singleCPE("cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@@ -427,10 +575,26 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "deno-binary",
 			FileGlob: "**/deno",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
-				// Deno/2.6.3
-				// Deno/1.41.0
-				`Deno/(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+			EvidenceMatcher: binutils.MatchAny(
+				m.FileContentsVersionMatcher(
+					// Deno/2.6.3
+					// Deno/1.41.0
+					`Deno/(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
+				),
+				m.FileContentsVersionMatcher(
+					// deno::tools::standalonedeno-65db94feba9d4d51a09b74629f566dbc90484fbarelease/v1.29.4windows
+					// cli/tools/standalone.rsdeno-74064c9d8c222b33b2a552ea0af1054f57002a96release/v1.28.3windows
+					`deno-[0-9a-z]{40}release/v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
+				),
+				m.FileContentsVersionMatcher(
+					// cli/tools/standalone.rsdeno-ab286750a8c87215a9651efb11fcc620f29140051.16.4release/vdlwindows
+					`deno-[0-9a-z]{40}(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
+				),
+				m.FileContentsVersionMatcher(
+					// 1.10.31567c1013cc8ff12cf039137792da66a1d0015b5DENO_UNSTABLE_COVERAGE_DIRNo current directorycli/main
+					`(?P<version>[0-9]+\.[0-9]+\.[0-9]+)[0-9a-z]{40}DENO`,
+				),
+			),
 			Package: "deno",
 			PURL:    mustPURL("pkg:generic/deno@version"),
 			CPEs:    singleCPE("cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@@ -558,14 +722,29 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "openssl-binary",
 			FileGlob: "**/openssl",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
-				// [NUL]OpenSSL 3.1.4'
-				// [NUL]OpenSSL 1.1.1w'
-				`\x00OpenSSL (?P<version>[0-9]+\.[0-9]+\.[0-9]+([a-z]+|-alpha[0-9]|-beta[0-9]|-rc[0-9])?)`,
-			),
-			Package: "openssl",
-			PURL:    mustPURL("pkg:generic/openssl@version"),
-			CPEs:    singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+			EvidenceMatcher: binutils.BranchingEvidenceMatcher([]binutils.Classifier{
+				{
+					Class: "openssl-binary-aws-lc",
+					EvidenceMatcher: m.FileContentsVersionMatcher(
+						// [NUL]OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)[NUL]
+						`AWS-LC (?P<version>[0-9]+\.[0-9]+\.[0-9]+)\)\x00`,
+					),
+					Package: "aws-lc",
+					PURL:    mustPURL("pkg:generic/aws-lc@version"),
+					CPEs:    singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+				},
+				{
+					Class: "openssl-binary",
+					EvidenceMatcher: m.FileContentsVersionMatcher(
+						// [NUL]OpenSSL 3.1.4'
+						// [NUL]OpenSSL 1.1.1w'
+						`\x00OpenSSL (?P<version>[0-9]+\.[0-9]+\.[0-9]+([a-z]+|-alpha[0-9]|-beta[0-9]|-rc[0-9])?)`,
+					),
+					Package: "openssl",
+					PURL:    mustPURL("pkg:generic/openssl@version"),
+					CPEs:    singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+				},
+			}...),
 		},
 		{
 			Class:    "openldap-search-binary",
@@ -762,7 +941,9 @@ func DefaultClassifiers() []binutils.Classifier {
 			Class:    "elixir-binary",
 			FileGlob: "**/elixir",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)ELIXIR_VERSION=(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+				// Capture optional pre-release suffix (-rc.1, -alpha.0, -beta.2,
+				// etc.) so release-candidate elixir images (#4819) match.
+				`(?m)ELIXIR_VERSION=(?P<version>[0-9]+\.[0-9]+\.[0-9]+(?:-[a-z0-9]+(?:\.[0-9]+)?)?)`),
 			Package: "elixir",
 			PURL:    mustPURL("pkg:generic/elixir@version"),
 			CPEs: []cpe.CPE{
@@ -773,7 +954,8 @@ func DefaultClassifiers() []binutils.Classifier {
 			Class:    "elixir-library",
 			FileGlob: "**/elixir/ebin/elixir.app",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)\{vsn,"(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[a-z0-9]+)?)"\}`),
+				// Same pre-release extension as elixir-binary above.
+				`(?m)\{vsn,"(?P<version>[0-9]+\.[0-9]+\.[0-9]+(?:-[a-z0-9]+(?:\.[0-9]+)?)?)"\}`),
 			Package: "elixir",
 			PURL:    mustPURL("pkg:generic/elixir@version"),
 			CPEs:    singleCPE("cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@@ -905,6 +1087,29 @@ func DefaultClassifiers() []binutils.Classifier {
 			PURL:    mustPURL("pkg:generic/mongodb@version"),
 			CPEs:    singleCPE("cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
+		{
+			Class:    "ingress-nginx-binary",
+			FileGlob: "**/nginx-ingress-controller",
+			EvidenceMatcher: binutils.MatchAny(
+				// [NUL][NUL]v1.15.1[NUL][NUL]@e[ETX][NUL][NUL][NUL][NUL]go1.26.1[NUL][NUL][NUL]
+				// <20>v1.15.1[NUL][NUL]<5D>z[ETX][NUL][NUL][NUL][NUL]go1.24.4[NUL][NUL][NUL]
+				m.FileContentsVersionMatcher(`v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00+.{0,50}go[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?\.[0-9]+\x00+`),
+				// <20>Lv1.9.6[NUL][NUL]$a<>c[SOH][NUL][NUL][NUL]
+				// [NUL][NUL]v0.34.0[NUL]......<2E>$a<>...[NUL]
+				m.FileContentsVersionMatcher(`v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?)\x00+.{0,800}\$a.{0,10}\x00+`),
+				// [NUL][NUL]v1.7.1[NUL][NUL][NUL]...S=v<y5...
+				// [NUL]0.33.0[NUL][NUL]...[NUL][NUL]...S=v<y5
+				m.FileContentsVersionMatcher(`\x00+v?(?P<version>[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?)\x00+.{0,100}S=v<y5`),
+				// [NUL][NUL]go1.22.8[NUL][NUL][NUL][NUL][NUL][NUL][NUL][NUL][NUL]v1.12.0-beta.0[NUL][NUL]
+				m.FileContentsVersionMatcher(`\x00+go[0-9]+\.[0-9]+\.[0-9]+\x00+v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?)\x00+`),
+				// [NUL][NUL]v1.2.0-beta.1[NUL][NUL]
+				// [NUL][NUL]v1.0.0-alpha.2[NUL][NUL]
+				m.FileContentsVersionMatcher(`\x00+v(?P<version>[0-9]+\.[0-9]+\.[0-9]+\-(alpha|beta)\.[0-9])\x00+`),
+			),
+			Package: "nginx-ingress-controller",
+			PURL:    mustPURL("pkg:generic/nginx-ingress-controller@version"),
+			CPEs:    singleCPE("cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
+		},
 	}
 
 	return append(classifiers, defaultJavaClassifiers()...)

syft/pkg/cataloger/binary/internal/manager/internal/download_from_image.go

@@ -275,9 +275,15 @@ func copyBinaryFromContainer(containerName, containerPath, destinationPath, dige
 		return err
 	}
 
-	// ensure permissions are 600 for destination
-	if err := os.Chmod(destinationPath, 0600); err != nil {
-		return fmt.Errorf("unable to set permissions on file %q: %w", destinationPath, err)
+	// ensure permissions are 600 for destination (if it is not a symlink)
+	info, err := os.Lstat(destinationPath)
+	if err != nil {
+		return fmt.Errorf("unable to stat file %q: %w", destinationPath, err)
+	}
+	if info.Mode()&os.ModeSymlink == 0 {
+		if err := os.Chmod(destinationPath, 0600); err != nil {
+			return fmt.Errorf("unable to set permissions on file %q: %w", destinationPath, err)
+		}
 	}
 
 	// capture digest file

syft/pkg/cataloger/binary/pe_package_cataloger.go

@@ -12,10 +12,11 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/internal/pe"
 )
 
-// NewPEPackageCataloger returns a cataloger that interprets packages from DLL and EXE files.
+// NewPEPackageCataloger returns a cataloger that interprets packages from DLL, EXE, and BPL files.
+// BPL (Borland Package Library) files are PE-format binaries used by Delphi and C++Builder.
 func NewPEPackageCataloger() pkg.Cataloger {
 	return generic.NewCataloger("pe-binary-package-cataloger").
-		WithParserByGlobs(parsePE, "**/*.dll", "**/*.exe")
+		WithParserByGlobs(parsePE, "**/*.dll", "**/*.exe", "**/*.bpl")
 }
 
 func parsePE(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {

syft/pkg/cataloger/binary/pe_package_cataloger_test.go

@@ -62,3 +62,30 @@ func Test_PEPackageCataloger(t *testing.T) {
 	}
 
 }
+
+func Test_PEPackageCataloger_Globs(t *testing.T) {
+	tests := []struct {
+		name     string
+		fixture  string
+		expected []string
+	}{
+		{
+			name:    "obtain PE binary files (dll, exe, bpl)",
+			fixture: "testdata/glob-paths",
+			expected: []string{
+				"src/library.dll",
+				"src/program.exe",
+				"src/archive.bpl",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			pkgtest.NewCatalogTester().
+				FromDirectory(t, test.fixture).
+				ExpectsResolverContentQueries(test.expected).
+				TestCataloger(t, NewPEPackageCataloger())
+		})
+	}
+}

syft/pkg/cataloger/binary/testdata/.gitignore

@@ -9,3 +9,4 @@ classifiers/bin
 !VERSION*
 !classifiers/snippets/**/bin/
 !*.exe
+!*.dll

syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.10.3/linux-amd64/deno

@@ -0,0 +1,9 @@
+name: deno
+offset: 31454975
+length: 120
+snippetSha256: 30ab01cb89ba17c770cca7d60e12f2c2119fd8db2b389636053bad1146ac83df
+fileSha256: 68ec2c702e9c21e47d5557c603080932ffa24627b463b4a5a4e2ed4ff00f7d5d
+
+### byte snippet to follow ###
+s already installed
+1.10.31567c1013cc8ff12cf039137792da66a1d0015b5DENO_UNSTABLE_COVERAGE_DIRNo current directorycli/main

syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.16.4/linux-amd64/deno

@@ -0,0 +1,9 @@
+name: deno
+offset: 4219127
+length: 120
+snippetSha256: 97e369d4eed74c5b1ff7d578c9de100c71136dfcc54f19455b2938671d1a9640
+fileSha256: f3af5cf3838c0cd01de1acaaa716de804ad08c716927af1848aa9664b96a737c
+
+### byte snippet to follow ###
+g ctrl+d or close()
+Error: cli/tools/standalone.rsdeno-ab286750a8c87215a9651efb11fcc620f29140051.16.4release/vdlwindowsh

syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.28.3/linux-amd64/deno

@@ -0,0 +1,9 @@
+name: deno
+offset: 5079501
+length: 110
+snippetSha256: aa6181b1204d821493756007090ad81677a26f20de0efe9c53bdf401b54849fd
+fileSha256: 3373cbed016860095b01f693a58181c4cf1ac9d6ab7bd5dbca5f684788402919
+
+### byte snippet to follow ###
+n to exit
+cli/tools/standalone.rsdeno-74064c9d8c222b33b2a552ea0af1054f57002a96release/v1.28.3windowshttps://dl

syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.29.4/linux-amd64/deno

@@ -0,0 +1,9 @@
+name: deno
+offset: 5116362
+length: 220
+snippetSha256: 786a6c5d8be76e3c6e628cd2400c6ed5a7a7cfc75b135e8e7f1375f55dc28787
+fileSha256: d9c8a385c3704e220b1722c642f22e32f8f267013742f9b44d68c67bb5f9232d
+
+### byte snippet to follow ###
+ument. For example:
+    deno run --allow-read=. main.js./$deno$eval.console.log(cli/tools/standalone.rsCompiledeno::tools::standalonedeno-65db94feba9d4d51a09b74629f566dbc90484fbarelease/v1.29.4windowshttps://dl.deno.land

syft/pkg/cataloger/binary/testdata/classifiers/snippets/elixir/1.12.0-rc.1/linux-amd64/elixir

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2021 The Elixir Team
+# SPDX-FileCopyrightText: 2012 Plataformatec
+
+set -e
+
+ELIXIR_VERSION=1.12.0-rc.1
+
+if [ $# -eq 0 ] || { [ $# -eq 1 ] && { [ "$1" = "--help" ] || [ "$1" = "-h" ]; }; }; then
+  cat <<USAGE >&2
+Usage: $(basename "$0") [options] [.exs file] [data]
+
+## General options
+
+  -e "COMMAND"                 Evaluates the given command (*)
+  -h, --help                   Prints this message (standalone)
+  -r "FILE"                    Requires the given files/patterns (*)
+  -S SCRIPT                    Finds and executes the given script in \$PATH

syft/pkg/cataloger/binary/testdata/classifiers/snippets/elixir/1.12.0-rc.1/linux-amd64/lib/elixir/ebin/elixir.app

@@ -0,0 +1,19 @@
+{application,elixir,
+    [{description,"elixir"},
+     {vsn,"1.12.0-rc.1"},
+     {modules,
+         ['Elixir.Access','Elixir.Agent.Server','Elixir.Agent',
+          'Elixir.Application','Elixir.ArgumentError',
+          elixir_overridable,elixir_parser,elixir_quote,elixir_rewrite,
+          elixir_sup,elixir_tokenizer,elixir_utils,iex]},
+     {registered,[elixir_sup,elixir_config,elixir_code_server]},
+     {applications,[kernel,stdlib,compiler]},
+     {mod,{elixir,[]}},
+     {env,
+         [{ansi_syntax_colors,
+              [{atom,cyan},
+               {binary,default_color},
+               {operator,default_color}]},
+          {check_endianness,true},
+          {dbg_callback,{'Elixir.Macro',dbg,[]}},
+          {time_zone_database,'Elixir.Calendar.UTCOnlyTimeZoneDatabase'}]}]}.

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.10.11/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.10.11

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.11.9/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.11.9

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.12.6/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.12.6

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-alpha2/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.13.0

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-beta3/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.13.0

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.8.5/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.8

syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.9.0-alpha1/linux-amd64/libjulia-internal.so

@@ -0,0 +1 @@
+libjulia-internal.so.1.9