chore(deps): bump the actions-minor-patch group across 2 directories with 6 updates (#4975 )

Bumps the actions-minor-patch group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` | | [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](de0fac2e45...df4cb1c069) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](9de27be11e...39fe5f7111) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
fix: support CycloneDX 1.7 (#4967 )
2026-06-15 08:48:24 +02:00 · 2026-06-12 13:29:23 +00:00 · 2026-06-11 09:40:42 -04:00 · 2026-06-09 13:22:43 -04:00 · 2026-06-08 11:12:47 -04:00 · 2026-06-08 10:07:15 -04:00
154 changed files with 13455 additions and 2282 deletions
--- a/.binny.yaml
+++ b/.binny.yaml
@ -1,67 +1,10 @@
 # only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
 cooldown: 7d
-
+# Most tools (binny, chronicle, cosign, golangci-lint, goreleaser, gosimports,
 # bouncer, quill, syft, task, gh) are inherited from anchore/go-make's embedded
 # .binny.yaml — see https://github.com/anchore/go-make. Only syft-specific tools
 # or version overrides should live here.
 tools:
  ## internal tools ############################################################################
  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
  - name: binny
    version:
      want: v0.13.0
    method: github-release
    with:
      repo: anchore/binny
  # used to produce SBOMs during release
  - name: syft
    version:
      want: v1.42.3
    method: github-release
    with:
      repo: anchore/syft
  # used to sign mac binaries at release
  - name: quill
    version:
      want: v0.7.1
    method: github-release
    with:
      repo: anchore/quill
  # used at release to generate the changelog
  - name: chronicle
    version:
      want: v0.8.0
    method: github-release
    with:
      repo: anchore/chronicle
  ## external tools ############################################################################
  # used for linting
  - name: golangci-lint
    version:
      want: v2.11.4
    method: github-release
    with:
      repo: golangci/golangci-lint
  # used for showing the changelog at release
  - name: glow
    version:
      want: v2.1.1
    method: github-release
    with:
      repo: charmbracelet/glow
  # used for signing the checksums file at release
  - name: cosign
    version:
      want: v3.0.5
    method: github-release
    with:
      repo: sigstore/cosign
  # used in integration tests to verify JSON schemas
  - name: yajsv
    version:
@ -70,58 +13,18 @@ tools:
    with:
      repo: neilpa/yajsv
  # used to release all artifacts
  - name: goreleaser
    version:
      want: v2.15.2
    method: github-release
    with:
      repo: goreleaser/goreleaser
  # used for organizing imports during static analysis
  - name: gosimports
    version:
      want: v0.3.8
    method: github-release
    with:
      repo: rinchsan/gosimports
  # used during static analysis for license compliance
  - name: bouncer
    version:
      want: v0.4.0
    method: github-release
    with:
      repo: wagoodman/go-bouncer
  # used for running all local and CI tasks
  - name: task
    version:
      want: v3.49.1
    method: github-release
    with:
      repo: go-task/task
  # used for triggering a release
  - name: gh
    version:
      want: v2.89.0
    method: github-release
    with:
      repo: cli/cli
  # used to upload test fixture cache
  - name: oras
    version:
-      want: v1.3.1
+      want: v1.3.2
    method: github-release
    with:
      repo: oras-project/oras
-  # used to upload test fixture cache
+  # used to parse JSON/YAML annotations on the fixture cache image
  - name: yq
    version:
-      want: v4.52.5
+      want: v4.53.2
    method: github-release
    with:
      repo: mikefarah/yq
--- a/.github/actions/bootstrap/action.yaml
+++ b/.github/actions/bootstrap/action.yaml
@ -1,55 +1,45 @@
 name: "Bootstrap"
-description: "Bootstrap all tools and dependencies"
+description: "Bootstrap all syft tools and dependencies on top of go-make's setup action"
 # This action is a thin wrapper around anchore/go-make/.github/actions/setup which
 # already handles checkout, setup-go, restore-only build/mod cache, and tool cache.
 # We add the syft-specific extras here: apt packages and the test fixture cache.
 inputs:
  go-version:
-    description: "Go version to install"
+    description: "Go version to install (passed to go-make/setup)"
    required: true
    default: "1.26.2"
-  go-dependencies:
+  cache-key-prefix:
-    description: "Download go dependencies"
+    description: "Prefix all cache keys with this value (passed to go-make/setup)"
    required: true
    default: "v1"
  cache-enabled:
    description: "Enable build/mod and tool caching (passed to go-make/setup)"
    required: true
    default: "true"
  cache-key-prefix:
    description: "Prefix all cache keys with this value"
    required: true
    default: "53ac821810"
  download-test-fixture-cache:
    description: "Download test fixture cache from OCI and github actions"
    required: true
    default: "false"
  tools:
    description: "whether to install tools"
    default: "true"
  bootstrap-apt-packages:
    description: "Space delimited list of tools to install via apt"
    default: "libxml2-utils"
 runs:
  using: "composite"
  steps:
-    # note: go mod and build is automatically cached on default with v4+
+    - name: Setup go + go-make tooling
-    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: anchore/go-make/.github/actions/setup@39fe5f71112d4dceb3ff0a92a40f272f067fc457 # v0.6.0
      if: inputs.go-version != ''
      with:
        go-version: ${{ inputs.go-version }}
-        check-latest: true
+        cache-key-prefix: ${{ inputs.cache-key-prefix }}
-    - name: Restore tool cache
+        cache-enabled: ${{ inputs.cache-enabled }}
-      if: inputs.tools == 'true'
+
-      id: tool-cache
+    - name: Install binny-managed tools
      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: ${{ github.workspace }}/.tool
        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
    - name: Install project tools
      shell: bash
-      if: inputs.tools == 'true'
+      run: make binny:install
-      run: |
+
        make tools
        .tool/binny list
        .tool/binny check
    - name: Install go dependencies
      if: inputs.go-dependencies == 'true'
      shell: bash
      run: make ci-bootstrap-go
    - name: Install apt packages
      if: inputs.bootstrap-apt-packages != ''
      shell: bash
@ -58,12 +48,23 @@ runs:
      run: |
        IFS=' ' read -ra packages <<< "$APT_PACKAGES"
        DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}"
    # ORAS cache: restore-only on non-default branches / forks
    - name: Restore ORAS cache from github actions
-      if: inputs.download-test-fixture-cache == 'true'
+      if: ${{ inputs.download-test-fixture-cache == 'true' && (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) || github.event.repository.fork == true) }}
-      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ${{ github.workspace }}/.tmp/oras-cache
        key: ${{ inputs.cache-key-prefix }}-oras-cache
    # ORAS cache: restore + save on the default branch of the canonical repo only.
    - name: Restore and save ORAS cache from github actions
      if: ${{ inputs.download-test-fixture-cache == 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.event.repository.fork == false }}
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ${{ github.workspace }}/.tmp/oras-cache
        key: ${{ inputs.cache-key-prefix }}-oras-cache
    - name: Download test fixture cache
      if: inputs.download-test-fixture-cache == 'true'
      shell: bash
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -14,7 +14,9 @@ version: 2
 updates:
  - package-ecosystem: gomod
-    directory: "/"
+    directories:
      - "/"
      - "/.make"
    cooldown:
      default-days: 7
    schedule:
--- a/.github/scripts/ci-check.sh
+++ b/.github/scripts/ci-check.sh
@ -1,11 +0,0 @@
 #!/usr/bin/env bash
 red=$(tput setaf 1)
 bold=$(tput bold)
 normal=$(tput sgr0)
 # assert we are running in CI (or die!)
 if [[ -z "$CI" ]]; then
    echo "${bold}${red}This step should ONLY be run in CI. Exiting...${normal}"
    exit 1
 fi
--- a/.github/scripts/coverage.py
+++ b/.github/scripts/coverage.py
@ -1,36 +0,0 @@
 #!/usr/bin/env python3
 import subprocess
 import sys
 import shlex
 class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKCYAN = '\033[96m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
 if len(sys.argv) < 3:
    print("Usage: coverage.py [threshold] [go-coverage-report]")
    sys.exit(1)
 threshold = float(sys.argv[1])
 report = sys.argv[2]
 args = shlex.split(f"go tool cover -func {report}")
 p = subprocess.run(args, capture_output=True, text=True)
 percent_coverage = float(p.stdout.splitlines()[-1].split()[-1].replace("%", ""))
 print(f"{bcolors.BOLD}Coverage: {percent_coverage}%{bcolors.ENDC}")
 if percent_coverage < threshold:
    print(f"{bcolors.BOLD}{bcolors.FAIL}Coverage below threshold of {threshold}%{bcolors.ENDC}")
    sys.exit(1)
--- a/.github/scripts/find_cache_paths.py
+++ b/.github/scripts/find_cache_paths.py
@ -1,35 +1,45 @@
 #!/usr/bin/env python3
 from __future__ import annotations
 import os
 import glob
 import sys
 import json
 import hashlib
-
+import json
 import os
 import sys
 IGNORED_PREFIXES = []
 def find_fingerprints_and_check_dirs(base_dir):
-    all_fingerprints = set(glob.glob(os.path.join(base_dir, '**', 'test*', '**', '*.fingerprint'), recursive=True))
+    all_fingerprints = set(
        glob.glob(
            os.path.join(base_dir, "**", "test*", "**", "*.fingerprint"), recursive=True
        )
    )
-    all_fingerprints = {os.path.relpath(fp) for fp in all_fingerprints
+    all_fingerprints = {
-                        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)}
+        os.path.relpath(fp)
        for fp in all_fingerprints
        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)
    }
    if not all_fingerprints:
        show("No .fingerprint files or cache directories found.")
        exit(1)
-    missing_content = []
+    orphan_fingerprints = []
    empty_content = []
    valid_paths = set()
    fingerprint_contents = []
    for fingerprint in all_fingerprints:
-        path = fingerprint.replace('.fingerprint', '')
+        path = fingerprint.replace(".fingerprint", "")
        if not os.path.exists(path):
-            missing_content.append(path)
+            # paired content path is entirely missing — the .fingerprint is likely
            # leftover from a moved/deleted source (testdata trees are git-ignored,
            # so they persist locally across rename refactors)
            orphan_fingerprints.append(fingerprint)
            continue
        if not os.path.isdir(path):
@ -39,13 +49,13 @@ def find_fingerprints_and_check_dirs(base_dir):
        if os.listdir(path):
            valid_paths.add(path)
        else:
-            missing_content.append(path)
+            empty_content.append(path)
-        with open(fingerprint, 'r') as f:
+        with open(fingerprint, "r") as f:
            content = f.read().strip()
            fingerprint_contents.append((fingerprint, content))
-    return sorted(valid_paths), missing_content, fingerprint_contents
+    return sorted(valid_paths), empty_content, orphan_fingerprints, fingerprint_contents
 def parse_fingerprint_contents(fingerprint_content):
@ -59,7 +69,9 @@ def parse_fingerprint_contents(fingerprint_content):
 def calculate_sha256(fingerprint_contents):
    sorted_fingerprint_contents = sorted(fingerprint_contents, key=lambda x: x[0])
-    concatenated_contents = ''.join(content for _, content in sorted_fingerprint_contents)
+    concatenated_contents = "".join(
        content for _, content in sorted_fingerprint_contents
    )
    sha256_hash = hashlib.sha256(concatenated_contents.encode()).hexdigest()
@ -68,7 +80,7 @@ def calculate_sha256(fingerprint_contents):
 def calculate_file_sha256(file_path):
    sha256_hash = hashlib.sha256()
-    with open(file_path, 'rb') as f:
+    with open(file_path, "rb") as f:
        for byte_block in iter(lambda: f.read(4096), b""):
            sha256_hash.update(byte_block)
    return sha256_hash.hexdigest()
@ -79,17 +91,28 @@ def show(*s: str):
 def main(file_path: str | None):
-    base_dir = '.'
+    base_dir = "."
-    valid_paths, missing_content, fingerprint_contents = find_fingerprints_and_check_dirs(base_dir)
+    valid_paths, empty_content, orphan_fingerprints, fingerprint_contents = (
        find_fingerprints_and_check_dirs(base_dir)
    )
-    if missing_content:
+    if empty_content:
-        show("The following paths are missing or have no content, but have corresponding .fingerprint files:")
+        show(
-        for path in sorted(missing_content):
+            "The following paths exist but are empty, and have corresponding .fingerprint files:"
        )
        for path in sorted(empty_content):
            show(f"- {path}")
        # when adding new cache directories there is a time where it is not possible to have this directory without
        # running the tests first... but this step is a prerequisite for running the tests. We should not block on this.
-        # show("Please ensure these paths exist and have content if they are directories.")
+
-        # exit(1)
+    if orphan_fingerprints:
        show(
            "The following .fingerprint files reference paths that no longer exist "
            "(likely leftover from a moved/deleted cataloger — safe to delete, "
            "or run `task prune-orphan-fingerprints`):"
        )
        for fp in sorted(orphan_fingerprints):
            show(f"- {fp}")
    sha256_hash = calculate_sha256(fingerprint_contents)
@ -101,30 +124,24 @@ def main(file_path: str | None):
                file_digest = calculate_file_sha256(fingerprint_file)
                # Parse the fingerprint file to get the digest/path tuples
-                with open(fingerprint_file, 'r') as f:
+                with open(fingerprint_file, "r") as f:
                    fingerprint_content = f.read().strip()
                    input_map = parse_fingerprint_contents(fingerprint_content)
-                paths_with_digests.append({
+                paths_with_digests.append(
-                    "path": path,
+                    {"path": path, "digest": file_digest, "input": input_map}
-                    "digest": file_digest,
+                )
                    "input": input_map
                })
        except Exception as e:
            show(f"Error processing {fingerprint_file}: {e}")
            raise e
-
+    output = {"digest": sha256_hash, "paths": paths_with_digests}
    output = {
        "digest": sha256_hash,
        "paths": paths_with_digests
    }
    content = json.dumps(output, indent=2, sort_keys=True)
    if file_path:
-        with open(file_path, 'w') as f:
+        with open(file_path, "w") as f:
            f.write(content)
    print(content)
--- a/.github/scripts/go-mod-tidy-check.sh
+++ b/.github/scripts/go-mod-tidy-check.sh
@ -1,30 +0,0 @@
 #!/usr/bin/env bash
 set -eu
 ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX")
 TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX")
 trap "cp -p ${ORIGINAL_STATE_DIR}/* ./ && git update-index -q --refresh && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
 # capturing original state of files...
 cp go.mod go.sum "${ORIGINAL_STATE_DIR}"
 # capturing state of go.mod and go.sum after running go mod tidy...
 go mod tidy
 cp go.mod go.sum "${TIDY_STATE_DIR}"
 set +e
 # detect difference between the git HEAD state and the go mod tidy state
 DIFF_MOD=$(diff -u "${ORIGINAL_STATE_DIR}/go.mod" "${TIDY_STATE_DIR}/go.mod")
 DIFF_SUM=$(diff -u "${ORIGINAL_STATE_DIR}/go.sum" "${TIDY_STATE_DIR}/go.sum")
 if [[ -n "${DIFF_MOD}" || -n "${DIFF_SUM}" ]]; then
    echo "go.mod diff:"
    echo "${DIFF_MOD}"
    echo "go.sum diff:"
    echo "${DIFF_SUM}"
    echo ""
    printf "FAILED! go.mod and/or go.sum are NOT tidy; please run 'go mod tidy'.\n\n"
    exit 1
 fi
--- a/.github/scripts/prune_orphan_fingerprints.py
+++ b/.github/scripts/prune_orphan_fingerprints.py
@ -0,0 +1,102 @@
 #!/usr/bin/env python3
 """
 Remove orphan *.fingerprint files left behind by moved/deleted catalogers.
 A fingerprint is considered orphaned when:
  1. its paired content path (the fingerprint path with `.fingerprint` stripped)
     does not exist, AND
  2. the nearest ancestor `testdata/` directory has no `Makefile` claiming
     responsibility for generating that path.
 The second condition is the safety check: if there is a Makefile, the
 fingerprint is "live" and might just be waiting for fixtures to be built —
 leave it alone. Without a Makefile, nothing in-repo will ever regenerate
 the content, so the fingerprint is dead weight that triggers spurious
 "missing path" warnings.
 Empty parent directories are also pruned after removing the fingerprint.
 Use --dry-run to preview without deleting.
 """
 from __future__ import annotations
 import argparse
 import glob
 import os
 import sys
 def find_ancestor_testdata(path: str) -> str | None:
    d = os.path.dirname(path)
    while d and d not in (".", os.sep):
        if os.path.basename(d) == "testdata":
            return d
        d = os.path.dirname(d)
    return None
 def is_orphan(fingerprint: str) -> bool:
    paired = fingerprint[: -len(".fingerprint")]
    if os.path.exists(paired):
        return False
    testdata_dir = find_ancestor_testdata(fingerprint)
    if testdata_dir and os.path.isfile(os.path.join(testdata_dir, "Makefile")):
        # a Makefile exists that may regenerate this — not safe to prune
        return False
    return True
 def prune_empty_parents(start: str, stop_at: str = ".") -> list[str]:
    removed = []
    d = os.path.dirname(start)
    stop_at = os.path.abspath(stop_at)
    while d and os.path.abspath(d) != stop_at:
        try:
            if not os.listdir(d):
                os.rmdir(d)
                removed.append(d)
                d = os.path.dirname(d)
            else:
                break
        except OSError:
            break
    return removed
 def main() -> int:
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument(
        "--dry-run",
        action="store_true",
        help="Show what would be removed without deleting anything",
    )
    args = parser.parse_args()
    all_fingerprints = glob.glob("**/test*/**/*.fingerprint", recursive=True)
    orphans = sorted(fp for fp in all_fingerprints if is_orphan(fp))
    if not orphans:
        print("no orphan fingerprints found")
        return 0
    verb = "would remove" if args.dry_run else "removing"
    print(f"{verb} {len(orphans)} orphan fingerprint(s):")
    for fp in orphans:
        print(f"- {fp}")
        if args.dry_run:
            continue
        try:
            os.remove(fp)
        except OSError as e:
            print(f"  ! failed to remove: {e}", file=sys.stderr)
            continue
        for d in prune_empty_parents(fp):
            print(f"  (also removed empty dir {d})")
    return 0
 if __name__ == "__main__":
    sys.exit(main())
--- a/.github/scripts/trigger-release.sh
+++ b/.github/scripts/trigger-release.sh
@ -1,57 +0,0 @@
 #!/usr/bin/env bash
 set -eu
 bold=$(tput bold)
 normal=$(tput sgr0)
 GH_CLI=.tool/gh
 if ! [ -x "$(command -v $GH_CLI)" ]; then
    echo "The GitHub CLI could not be found. run: make bootstrap"
    exit 1
 fi
 $GH_CLI auth status
 # set the default repo in cases where multiple remotes are defined
 $GH_CLI repo set-default anchore/syft
 export GITHUB_TOKEN="${GITHUB_TOKEN-"$($GH_CLI auth token)"}"
 # we need all of the git state to determine the next version. Since tagging is done by
 # the release pipeline it is possible to not have all of the tags from previous releases.
 git fetch --tags
 # populates the CHANGELOG.md and VERSION files
 echo "${bold}Generating changelog...${normal}"
 make changelog 2> /dev/null
 NEXT_VERSION=$(cat VERSION)
 if [[ "$NEXT_VERSION" == "" ||  "${NEXT_VERSION}" == "(Unreleased)" ]]; then
    echo "Could not determine the next version to release. Exiting..."
    exit 1
 fi
 while true; do
    read -p "${bold}Do you want to trigger a release for version '${NEXT_VERSION}'?${normal} [y/n] " yn
    case $yn in
        [Yy]* ) echo; break;;
        [Nn]* ) echo; echo "Cancelling release..."; exit;;
        * ) echo "Please answer yes or no.";;
    esac
 done
 echo "${bold}Kicking off release for ${NEXT_VERSION}${normal}..."
 echo
 $GH_CLI workflow run release.yaml -f version=${NEXT_VERSION}
 echo
 echo "${bold}Waiting for release to start...${normal}"
 sleep 10
 set +e
 echo "${bold}Head to the release workflow to monitor the release:${normal} $($GH_CLI run list --workflow=release.yaml --limit=1 --json url --jq '.[].url')"
 id=$($GH_CLI run list --workflow=release.yaml --limit=1 --json databaseId --jq '.[].databaseId')
 $GH_CLI run watch $id --exit-status || (echo ; echo "${bold}Logs of failed step:${normal}" && GH_PAGER="" $GH_CLI run view $id --log-failed)
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@ -1,6 +1,3 @@
 # CodeQL scans for security vulnerabilities and coding errors across all
 # languages in this repo. Results appear in the "Security" tab under
 # "Code scanning alerts" and are enforced by branch protection rules.
 name: "CodeQL"
 on:
@ -8,74 +5,17 @@ on:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  # Weekly scheduled scan catches newly disclosed vulnerabilities in
  # existing code, not just changes introduced by PRs.
  schedule:
    - cron: '38 11 * * 3'
 permissions: {}
 jobs:
  analyze:
-    name: Analyze (${{ matrix.language }})
+    name: Analyze
-    runs-on: ubuntu-latest
+    uses: anchore/workflows/.github/workflows/codeql.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
    permissions:
      # Required to upload SARIF results to the "Security" tab.
      security-events: write
      # Required to fetch internal or private CodeQL packs.
      packages: read
      # Only required for workflows in private repositories.
      actions: read
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          # GitHub Actions workflow linting — no build needed.
          - language: actions
            build-mode: none
          # Go uses "manual" build mode so we control exactly what gets
          # compiled. The default "autobuild" finds the Makefile and runs
          # the full CI pipeline (lint, test, snapshot release, etc.),
          # which is far more work than CodeQL needs. All it requires is
          # compiled Go source so it can build a type-resolved code graph
          # for analysis.
          - language: go
            build-mode: manual
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # Pin the Go toolchain to whatever go.mod declares so CodeQL
      # analyzes with the same version the project actually uses.
      # Only runs for the Go matrix entry.
      - name: Setup Go
        if: matrix.language == 'go'
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
      - name: Initialize CodeQL
        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
      # Minimal build for Go: compile all packages so CodeQL gets a full
      # type-resolved code graph for analysis.
      - name: Build (Go)
        if: matrix.build-mode == 'manual'
        shell: bash
        run: go build ./...
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          # The category tag lets GitHub associate SARIF results with the
          # correct language when branch protection checks for required
          # code scanning results.
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/dependabot-automation.yaml
+++ b/.github/workflows/dependabot-automation.yaml
@ -1,10 +0,0 @@
 name: Dependabot Automation
 on:
  pull_request:
 permissions:
  pull-requests: write
 jobs:
  run:
    uses: anchore/workflows/.github/workflows/dependabot-automation.yaml@main
--- a/.github/workflows/detect-schema-changes.yaml
+++ b/.github/workflows/detect-schema-changes.yaml
@ -1,64 +0,0 @@
 # Note: this workflow has been disabled manually in the UI and will be replaced in short order
 name: "Detect schema changes"
 on:
  # IMPORTANT! This workflow is triggered by the `pull_request_target` event
  # which means that forked PRs will run with access secrets from the repo
  # it's forked from (the "target" repo).
  #
  # For this reason we only NEVER checkout the code from the pull request
  # (e.g. "ref: ${{ github.event.pull_request.head.sha }}") to prevent
  # accidentally running potentially untrusted code.
  #
  # By default the checkout will be:
  #   - GITHUB_SHA: Last commit on the PR base branch
  #   - GITHUB_REF: PR base branch
  #
  # ...unlike a typical PR where:
  #   - GITHUB_SHA: Last merge commit on the GITHUB_REF branch
  #   - GITHUB_REF: PR merge branch refs/pull/:prNumber/merge
  pull_request_target:
 env:
  # note: this is used within hashFiles() so must be within the GITHUB_WORKSPACE path (or will silently fail)
  CI_COMMENT_FILE: .tmp/labeler-comment.txt
  # needs to be any string to uniquely identify the comment on a PR across multiple runs
  COMMENT_HEADER: "label-commentary"
 jobs:
  label:
    name: "Label changes"
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: write
      issues: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
      - run: python .github/scripts/labeler.py
        env:
          # note: this token has write access to the repo
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_PR_NUMBER: ${{ github.event.number }}
      - name: Delete existing comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
        uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff #v3.0.3
        with:
          header: ${{ env.COMMENT_HEADER }}
          hide: true
          hide_classify: "OUTDATED"
      - name: Add comment
        if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
        uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff #v3.0.3
        with:
          header: ${{ env.COMMENT_HEADER }}
          path: ${{ env.CI_COMMENT_FILE }}
--- a/.github/workflows/oss-project-board-add.yaml
+++ b/.github/workflows/oss-project-board-add.yaml
@ -1,18 +0,0 @@
 name: Add to OSS board
 permissions:
  contents: read
 on:
  issues:
    types:
      - opened
      - reopened
      - transferred
      - labeled
 jobs:
  run:
    uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main"
    secrets:
      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,7 +1,11 @@
 name: "Release"
-permissions:
+permissions: {}
-  contents: read
+
 # there should never be two releases in progress at the same time
 concurrency:
  group: release
  cancel-in-progress: false
 on:
  workflow_dispatch:
@ -19,116 +23,30 @@ on:
          - "install-script-only"
 jobs:
-  quality-gate:
+  version-available:
    environment: release
    if: ${{ github.event.inputs.phase == 'all' }}
-    runs-on: ubuntu-24.04
+    permissions:
-    steps:
+      contents: read # required for fetching tags
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+    uses: anchore/workflows/.github/workflows/check-version-available.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
    with:
-          persist-credentials: false
+      version: ${{ github.event.inputs.version }}
-      - name: Bootstrap environment
+  check-gate:
-        uses: ./.github/actions/bootstrap
+    if: ${{ github.event.inputs.phase == 'all' }}
-
+    permissions:
-      - name: Validate Apple notarization credentials
+      contents: read
-        run: .tool/quill submission list
+      checks: read # required for getting the status of specific check names
-        env:
+    uses: anchore/workflows/.github/workflows/check-gate.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
      - name: Check if running on main
        if: github.ref != 'refs/heads/main'
        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
        # at the time of when the OIDC token was issued on the Github Actions runner.
        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
      - name: Check if tag already exists
        # note: this will fail if the tag already exists
        run: |
          [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1)
          git tag "$VERSION"
        env:
          VERSION: ${{ github.event.inputs.version }}
      - name: Check static analysis results
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: static-analysis
    with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      # these are checks that should be run on pull-request and merges to main.
-          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
+      # we do NOT want to kick off a release if these have not been verified on main.
-          checkName: "Static analysis"
+      # Please see the validations.yaml workflow for the names that should be used here.
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+      checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]'
      - name: Check unit test results
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: unit
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Unit tests"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check integration test results
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: integration
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Integration tests"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check acceptance test results (linux)
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: acceptance-linux
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Acceptance tests (Linux)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check acceptance test results (mac)
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: acceptance-mac
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Acceptance tests (Mac)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Check cli test results (linux)
        uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
        id: cli-linux
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "CLI tests (Linux)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
      - name: Quality gate
        if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
        env:
          STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }}
          UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }}
          INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }}
          ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }}
          ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }}
          CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }}
        run: |
          echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS"
          echo "Unit Test Status: $UNIT_TEST_STATUS"
          echo "Integration Test Status: $INTEGRATION_TEST_STATUS"
          echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS"
          echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS"
          echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS"
          false
  release:
-    needs: [ quality-gate ]
+    needs: [check-gate, version-available]
    if: ${{ github.event.inputs.phase == 'all' }}
    environment: release
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
@ -136,12 +54,11 @@ jobs:
    #   tmpfs: faster io-intensive workflows
    runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
    permissions:
-      contents: write
+      contents: write # required for creating the GitHub release and pushing the version tag
-      packages: write
+      packages: write # required for publishing release artifacts to GitHub packages
-      # required for goreleaser signs section with cosign
+      id-token: write # required for keyless signing (cosign/sigstore OIDC)
      id-token: write
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
        with:
          fetch-depth: 0
          persist-credentials: true
@ -150,31 +67,24 @@ jobs:
        uses: ./.github/actions/bootstrap
      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  #v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
        with:
          username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
          password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  #v4.1.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Tag release
        run: |
          git config --global user.name "anchoreci"
          git config --global user.email "anchoreci@users.noreply.github.com"
          git tag -a "$VERSION" -m "Release $VERSION"
          git push origin --tags
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          VERSION: ${{ github.event.inputs.version }}
      - name: Build & publish release artifacts
        run: make ci-release
        env:
          # used for pushing tags
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
          RELEASE_VERSION: ${{ github.event.inputs.version }}
          # for mac signing and notarization...
          QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
          QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
@ -192,30 +102,12 @@ jobs:
          file: go.mod
          artifact-name: sbom.spdx.json
      - name: Notify Slack of new release
        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1
        continue-on-error: true
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
            blocks:
              - type: section
                text:
                  type: mrkdwn
                  text: |
                    *A new Syft release has been published* :rocket:
                    • Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
                    • Repo: `${{ github.repository }}`
                    • Workflow: `${{ github.workflow }}`
                    • Event: `${{ github.event_name }}`
        if: ${{ success() }}
  release-install-script:
    needs: [release]
    if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
-    uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main"
+    permissions:
      contents: read # required for the reusable workflow to check out the repo and publish the install script
    uses: anchore/workflows/.github/workflows/release-install-script.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
    with:
      tag: ${{ github.event.inputs.version }}
    secrets:
--- a/.github/workflows/remove-awaiting-response-label.yaml
+++ b/.github/workflows/remove-awaiting-response-label.yaml
@ -1,15 +0,0 @@
 name: "Manage Awaiting Response Label"
 on:
  issue_comment:
    types: [created]
 jobs:
  run:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"
    secrets:
      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}
--- a/.github/workflows/validate-github-actions.yaml
+++ b/.github/workflows/validate-github-actions.yaml
@ -10,8 +10,7 @@ on:
      - '.github/workflows/**'
      - '.github/actions/**'
-permissions:
+permissions: {}
  contents: read
 jobs:
  zizmor:
@ -21,12 +20,12 @@ jobs:
      contents: read
      security-events: write  # for uploading SARIF results
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: "Run zizmor"
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
        with:
          # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
          advanced-security: true
--- a/.github/workflows/validations.yaml
+++ b/.github/workflows/validations.yaml
@ -13,8 +13,7 @@ on:
    branches:
      - main
-permissions:
+permissions: {}
  contents: read
 jobs:
  Static-Analysis:
@ -22,11 +21,14 @@ jobs:
    name: "Static analysis"
    # runs-on.com: memory & general purpose instances for testing
    #   spot enabled: ok to interrupt non-production workloads
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
-    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=tmpfs"
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
        with:
          persist-credentials: false
@ -45,8 +47,10 @@ jobs:
    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
    name: "Unit tests"
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
        with:
          persist-credentials: false
@ -65,8 +69,10 @@ jobs:
    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
    name: "Integration tests"
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
        with:
          persist-credentials: false
@ -86,14 +92,14 @@ jobs:
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
-    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=tmpfs"
    permissions:
      contents: read
    steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
      - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0  # v2.1.0
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -120,11 +126,10 @@ jobs:
    name: "Acceptance tests (Linux)"
    needs: [Build-Snapshot-Artifacts]
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
      - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0  # v2.1.0
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -162,11 +167,13 @@ jobs:
    needs: [Build-Snapshot-Artifacts]
    # note: macos runners aren't supported yet for runs-on managed runners.
    runs-on: macos-latest
    permissions:
      contents: read
    steps:
      - name: Install Cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
        with:
          persist-credentials: false
@ -197,11 +204,10 @@ jobs:
    name: "CLI tests (Linux)"
    needs: [Build-Snapshot-Artifacts]
    runs-on: *test-runner
    permissions:
      contents: read
    steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
      - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0  # v2.1.0
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
--- a/.gitignore
+++ b/.gitignore
@ -3,6 +3,8 @@ go.work
 go.work.sum
 .tool-versions
 .python-version
 .mise.toml
 .env
 # app configuration
 /.syft.yaml
@ -20,6 +22,8 @@ bin/
 /generate
 /specs
 mise.toml
 .make/.make
 .conductor
 # changelog generation
 CHANGELOG.md
@ -76,5 +80,3 @@ cosign.pub
 __pycache__/
 *.py[cod]
 *$py.class
--- a/.make/go.mod
+++ b/.make/go.mod
@ -0,0 +1,14 @@
 module github.com/anchore/syft/.make
 go 1.25.8
 require (
 	github.com/anchore/go-make v0.5.0
 	github.com/goccy/go-yaml v1.19.2
 )
 require (
 	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
 	golang.org/x/mod v0.36.0 // indirect
 	golang.org/x/sys v0.44.0 // indirect
 )
--- a/.make/go.sum
+++ b/.make/go.sum
@ -0,0 +1,10 @@
 github.com/anchore/go-make v0.5.0 h1:VGlwqVhzowFb+9w/gaWUIid/YXvQZReBWKcj4LaZ3dM=
 github.com/anchore/go-make v0.5.0/go.mod h1:Nc/tkwQHW1d1Vi8+0rtS/vSrH6pxieaUQXLdrctn+8g=
 github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
 github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
 golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
--- a/.make/main.go
+++ b/.make/main.go
@ -0,0 +1,209 @@
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 	"github.com/goccy/go-yaml"
 	. "github.com/anchore/go-make"
 	"github.com/anchore/go-make/file"
 	"github.com/anchore/go-make/git"
 	"github.com/anchore/go-make/lang"
 	"github.com/anchore/go-make/run"
 	"github.com/anchore/go-make/tasks/golint"
 	"github.com/anchore/go-make/tasks/goreleaser"
 	"github.com/anchore/go-make/tasks/gotest"
 )
 // taskfileDescriptions maps Taskfile.yaml task names to their `desc:` field.
 // Loaded at package init so wrap() can use Taskfile.yaml as the single source
 // of truth for wrapped-task descriptions.
 var taskfileDescriptions = mustReadTaskfileDescriptions()
 func main() {
 	Makefile(
 		// shared anchore tasks
 		golint.Tasks(),
 		goreleaser.Tasks(),
 		// unit tests: exclude packages under any test/ directory (matches the syft
 		// Taskfile's prior `grep -v` against test paths). Coverage threshold of 62%
 		// preserves the prior coverage gate that used to live in scripts/coverage.py.
 		gotest.Tasks(
 			gotest.Name("unit"),
 			gotest.ExcludeGlob("**/test/**"),
 			gotest.CoverageThreshold(62),
 		),
 		// integration tests: native go-make Task. The race-detector smoke against a
 		// real image stays bundled here (RunsOn integration) so `make integration`
 		// behaves like the Taskfile version did.
 		gotest.Tasks(
 			gotest.Name("integration"),
 			gotest.IncludeGlob("./cmd/syft/internal/test/integration/..."),
 			gotest.Verbose(),
 			gotest.NoCoverage(),
 		),
 		Task{
 			Name:        "integration:race-smoke",
 			Description: "exercise the CLI with the race detector",
 			RunsOn:      lang.List("integration"),
 			Run: func() {
 				Run("go run -race cmd/syft/main.go anchore/test_images:grype-quality-dotnet-69f15d2")
 			},
 		},
 		// cli tests: native go-make Task. Requires SYFT_BINARY_LOCATION pointing at
 		// an *absolute* path to the snapshot binary. Intentionally does NOT depend
 		// on snapshot: in CI we download a pre-built snapshot artifact and re-running
 		// goreleaser here would both burn ~10m and clobber the downloaded binary.
 		// Locally, the failure message tells you to run `make snapshot` first.
 		Task{
 			Name:        "cli",
 			Description: "Run CLI tests",
 			RunsOn:      lang.List("test"),
 			Run: func() {
 				bin := snapshotBinPath()
 				if !file.Exists(bin) {
 					panic(fmt.Sprintf("snapshot binary not found at %s; run `make snapshot` first", bin))
 				}
 				Log("testing binary: %s", bin)
 				Run(
 					"go test -count=1 -timeout=15m -v ./test/cli",
 					run.Env("SYFT_BINARY_LOCATION", bin),
 				)
 			},
 		},
 		// default validation pipeline (replaces Taskfile `default`/`pr-validations`/`validations`).
 		Task{
 			Name:         "default",
 			Description:  "Run all validation tasks",
 			Dependencies: Deps("static-analysis", "test", "install-test"),
 		},
 		// --- everything below is implemented in Taskfile.yaml and surfaced here
 		// via wrap(). Descriptions come from Taskfile.yaml (single source of truth).
 		// static analysis extras
 		wrap("check-json-schema-drift").RunOn("static-analysis"),
 		wrap("check-capability-drift"),
 		wrap("check-binary-fixture-size").RunOn("static-analysis"),
 		// test extras
 		wrap("validate-cyclonedx-schema").RunOn("test"),
 		wrap("test-utils").RunOn("test"),
 		wrap("check-docker-cache").RunOn("test"),
 		wrap("snapshot-smoke-test"),
 		// update commands
 		wrap("update-format-golden-files"),
 		// fixture cache plumbing (heavy ORAS logic, lives in Taskfile).
 		// refresh-fixtures hooks into "unit" so `make unit` triggers the
 		// stale-cache detection + download just like `task unit` did on main
 		// (its `deps: [tmpdir, fixtures]` is what kept the fixture cache fresh).
 		wrap("fingerprints"),
 		wrap("refresh-fixtures").RunOn("unit"),
 		wrap("fixtures"),
 		wrap("build-fixtures"),
 		wrap("download-test-fixture-cache"),
 		wrap("upload-test-fixture-cache"),
 		wrap("show-test-image-cache"),
 		// install-script tests (delegates to test/install/Makefile)
 		wrap("install-test"),
 		wrap("install-test-cache-save"),
 		wrap("install-test-cache-load"),
 		wrap("install-test-ci-mac"),
 		// compare tests
 		wrap("generate-compare-file"),
 		wrap("compare-mac"),
 		wrap("compare-linux"),
 		wrap("compare-test-deb-package-install"),
 		wrap("compare-test-rpm-package-install"),
 		// code/data generation (umbrella + per-target; each lives in Taskfile)
 		wrap("generate"),
 		wrap("generate-json-schema"),
 		wrap("generate-license-list"),
 		wrap("generate-cpe-dictionary-index"),
 		wrap("generate-capabilities"),
 		// cleanup (each hooks into go-make's built-in `clean` label)
 		wrap("clean-snapshot").RunOn("clean"),
 		wrap("clean-docker-cache").RunOn("clean"),
 		wrap("clean-oras-cache").RunOn("clean"),
 		wrap("clean-cache").RunOn("clean"),
 		wrap("clean-test-observations").RunOn("clean"),
 	)
 }
 // wrap creates a go-make Task that delegates execution to `task <name>`. The
 // task's description is pulled from Taskfile.yaml's `desc:` field — descriptions
 // for wrapped tasks must always live in Taskfile.yaml, never here.
 func wrap(name string) Task {
 	desc, ok := taskfileDescriptions[name]
 	if !ok || desc == "" {
 		// loud-fail at startup so missing descs can't sneak through review.
 		panic(fmt.Sprintf("Taskfile.yaml task %q is missing a `desc:` field; please add one", name))
 	}
 	return Task{
 		Name:        name,
 		Description: desc,
 		Run:         func() { Run("task " + name) },
 	}
 }
 // mustReadTaskfileDescriptions parses Taskfile.yaml at the repo root and returns
 // a map of task name -> desc. Runs at package init time so wrap() can use it.
 func mustReadTaskfileDescriptions() map[string]string {
 	root := git.Root()
 	if root == "" {
 		return nil
 	}
 	path := filepath.Join(root, "Taskfile.yaml")
 	data, err := os.ReadFile(path) //nolint:gosec // G304: path resolved from git.Root()
 	if err != nil {
 		return nil
 	}
 	var tf struct {
 		Tasks map[string]struct {
 			Desc    string   `yaml:"desc"`
 			Aliases []string `yaml:"aliases"`
 		} `yaml:"tasks"`
 	}
 	lang.Throw(yaml.Unmarshal(data, &tf))
 	out := make(map[string]string, len(tf.Tasks))
 	for name, t := range tf.Tasks {
 		out[name] = t.Desc
 		// aliases inherit the canonical task's description so wrap() can find them.
 		for _, alias := range t.Aliases {
 			out[alias] = t.Desc
 		}
 	}
 	return out
 }
 // snapshotBinPath replicates the SNAPSHOT_BIN computation from the prior Taskfile:
 // <repoRoot>/snapshot/<os>-build_<os>_<arch>/syft, where arch maps amd64->amd64_v1
 // and arm64->arm64_v8.0 to match goreleaser's per-target output directory naming.
 // Returns an absolute path: the cli tests' getSyftBinaryLocation contract requires
 // SYFT_BINARY_LOCATION to be absolute because subtests run with cmd.Dir = t.TempDir().
 func snapshotBinPath() string {
 	osName := runtime.GOOS
 	var arch string
 	switch runtime.GOARCH {
 	case "amd64":
 		arch = "amd64_v1"
 	case "arm64":
 		arch = "arm64_v8.0"
 	default:
 		arch = runtime.GOARCH
 	}
 	return filepath.Join(RootDir(), "snapshot", osName+"-build_"+osName+"_"+arch, "syft")
 }
--- a/54
+++ b/54
@ -1,46 +1,18 @@
-OWNER = anchore
+# `test` and `snapshot` have matching directory names in this repo, so make would
-PROJECT = syft
+# refuse to run them without an explicit .PHONY (Nothing to be done for ...).
 .PHONY: test snapshot
 test:
 	@go run -C .make . test
-TOOL_DIR = .tool
+snapshot:
-BINNY = $(TOOL_DIR)/binny
+	@go run -C .make . snapshot
 TASK = $(TOOL_DIR)/task
-.DEFAULT_GOAL := make-default
+.PHONY: *
 .DEFAULT_GOAL: make-default
-## Bootstrapping targets #################################
+make-default:
 	@go run -C .make .
-# note: we need to assume that binny and task have not already been installed
+.DEFAULT:
 $(BINNY):
 	@mkdir -p $(TOOL_DIR)
 	@curl -sSfL https://get.anchore.io/binny | sh -s -- -b $(TOOL_DIR)
 # note: we need to assume that binny and task have not already been installed
 .PHONY: task
 $(TASK) task: $(BINNY)
 	@$(BINNY) install task -q
 .PHONY: ci-bootstrap-go
 ci-bootstrap-go:
 	go mod download
 # this is a bootstrapping catch-all, where if the target doesn't exist, we'll ensure the tools are installed and then try again
 %:
-	@make --silent $(TASK)
+	@go run -C .make . $@
 	@$(TASK) $@
 ## Shim targets #################################
 .PHONY: make-default
 make-default: $(TASK)
 	@# run the default task in the taskfile
 	@$(TASK)
 # for those of us that can't seem to kick the habit of typing `make ...` lets wrap the superior `task` tool
 TASKS := $(shell bash -c "test -f $(TASK) && NO_COLOR=1 $(TASK) -l | grep '^\* ' | cut -d' ' -f2 | tr -d ':' | tr '\n' ' '" ) $(shell bash -c "test -f $(TASK) && NO_COLOR=1 $(TASK) -l | grep 'aliases:' | cut -d ':' -f 3 | tr '\n' ' ' | tr -d ','")
 .PHONY: $(TASKS)
 $(TASKS): $(TASK)
 	@$(TASK) $@
 help: $(TASK)
 	@$(TASK) -l
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@ -1,6 +1,11 @@
 version: "3"
 # NOTE: most generic tasks (static-analysis, format, lint, unit, snapshot, release,
 # changelog, ci-release, etc.) are now provided natively by anchore/go-make and
 # defined in .make/main.go. This file holds the syft-specific tasks that go-make
 # wraps via `wrap("<name>")` calls — keep descriptions (`desc:`) populated so they
 # show up in `make help`.
 includes:
  generate:cpe-index: ./task.d/generate/cpe-index.yaml
@ -25,11 +30,7 @@ vars:
  YQ: "{{ .TOOL_DIR }}/yq"
  TASK: "{{ .TOOL_DIR }}/task"
-  # used for changelog generation
+  # used for snapshot bin discovery in compare/install tasks
  CHANGELOG: CHANGELOG.md
  NEXT_VERSION: VERSION
  # used for snapshot builds
  OS:
    sh: uname -s | tr '[:upper:]' '[:lower:]'
  ARCH:
@ -42,11 +43,6 @@ vars:
  # e.g. when installing snapshot debs from a local path, ./ forces the deb to be installed in the current working directory instead of referencing a package name
  SNAPSHOT_DIR: ./snapshot
  SNAPSHOT_BIN: "{{ .PROJECT_ROOT }}/{{ .SNAPSHOT_DIR }}/{{ .OS }}-build_{{ .OS }}_{{ .ARCH }}/{{ .PROJECT }}"
  SNAPSHOT_CMD: "{{ .TOOL_DIR }}/goreleaser release --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --skip=publish --skip=sign"
  BUILD_CMD:    "{{ .TOOL_DIR }}/goreleaser build   --config {{ .TMP_DIR }}/goreleaser.yaml --clean --snapshot --single-target"
  RELEASE_CMD:  "{{ .TOOL_DIR }}/goreleaser release --clean --release-notes {{ .CHANGELOG }}"
  VERSION:
    sh: git describe --dirty --always --tags
  # used for install and acceptance testing
  COMPARE_DIR: ./test/compare
@ -57,43 +53,10 @@ env:
 tasks:
-  ## High-level tasks #################################
+  ## Bootstrap (internal helpers used by other Taskfile tasks) ###############
  default:
    desc: Run all validation tasks
    aliases:
      - pr-validations
      - validations
    cmds:
      - task: static-analysis
      - task: test
      - task: install-test
  static-analysis:
    desc: Run all static analysis tasks
    cmds:
      - task: check-go-mod-tidy
      - task: check-licenses
      - task: lint
      - task: check-json-schema-drift
      - task: check-binary-fixture-size
  test:
    desc: Run all levels of test
    cmds:
      - task: unit
      - task: integration
      - task: validate-cyclonedx-schema
      - task: test-utils
      - task: snapshot
      - task: cli
      - task: check-docker-cache
  ## Bootstrap tasks #################################
  binny:
    internal: true
    # desc: Get the binny tool
    generates:
      - "{{ .TOOL_DIR }}/binny"
    status:
@ -102,10 +65,8 @@ tasks:
    silent: true
  tools:
-    desc: Install all tools needed for CI and local development
+    internal: true
    deps: [binny]
    aliases:
      - bootstrap
    generates:
      - ".binny.yaml"
      - "{{ .TOOL_DIR }}/*"
@ -114,79 +75,14 @@ tasks:
    cmd: "{{ .TOOL_DIR }}/binny install -v"
    silent: true
  update-tools:
    desc: Update pinned versions of all tools to their latest available versions
    deps: [binny]
    generates:
      - ".binny.yaml"
      - "{{ .TOOL_DIR }}/*"
    cmd: "{{ .TOOL_DIR }}/binny update -v"
    silent: true
  list-tools:
    desc: List all tools needed for CI and local development
    deps: [binny]
    cmd: "{{ .TOOL_DIR }}/binny list"
    silent: true
  list-tool-updates:
    desc: List all tools that are not up to date relative to the binny config
    deps: [binny]
    cmd: "{{ .TOOL_DIR }}/binny list --updates"
    silent: true
  tmpdir:
    internal: true
    silent: true
    generates:
      - "{{ .TMP_DIR }}"
    cmd: "mkdir -p {{ .TMP_DIR }}"
-  ## Static analysis tasks #################################
+  ## Static analysis extras #################################################
  format:
    desc: Auto-format all source code
    deps: [tools]
    cmds:
      - gofmt -w -s .
      - "{{ .TOOL_DIR }}/gosimports -local github.com/anchore -w ."
      - go mod tidy
  lint-fix:
    desc: Auto-format all source code + run golangci lint fixers
    deps: [tools]
    cmds:
      - task: format
      - "{{ .TOOL_DIR }}/golangci-lint run --tests=false --fix"
  lint:
    desc: Run gofmt + golangci lint checks
    vars:
      BAD_FMT_FILES:
        sh: gofmt -l -s .
      BAD_FILE_NAMES:
        sh: "find . | grep -e ':' || true"
    deps: [tools]
    cmds:
      # ensure there are no go fmt differences
      - cmd: 'test -z "{{ .BAD_FMT_FILES }}" || (echo "files with gofmt issues: [{{ .BAD_FMT_FILES }}]"; exit 1)'
        silent: true
      # ensure there are no files with ":" in it (a known back case in the go ecosystem)
      - cmd: 'test -z "{{ .BAD_FILE_NAMES }}" || (echo "files with bad names: [{{ .BAD_FILE_NAMES }}]"; exit 1)'
        silent: true
      # run linting
      - "{{ .TOOL_DIR }}/golangci-lint run --tests=false"
  check-licenses:
    # desc: Ensure transitive dependencies are compliant with the current license policy
    deps: [tools]
    cmd: "{{ .TOOL_DIR }}/bouncer check ./..."
  check-go-mod-tidy:
    # desc: Ensure go.mod and go.sum are up to date
    cmds:
      - cmd: .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!"
        silent: true
  check-json-schema-drift:
    desc: Ensure there is no drift between the JSON schema and the code
@ -203,8 +99,8 @@ tasks:
    cmds:
      - .github/scripts/check_binary_fixture_size.sh syft/pkg/cataloger/binary/testdata/classifiers/snippets
  ## Test extras ############################################################
  ## Testing tasks #################################
  update-format-golden-files:
    desc: "Update golden (i.e. snapshot) files used by unit tests"
    cmds:
@ -214,59 +110,32 @@ tasks:
      - go test ./syft/format/cyclonedxjson -update-cyclonedx-json
      - go test ./syft/format/syftjson -update-json
  unit:
    desc: Run unit tests
    deps:
      - tmpdir
      - fixtures
    vars:
      TEST_PKGS:
        sh: "go list ./... | grep -v {{ .OWNER }}/{{ .PROJECT }}/test | grep -v {{ .OWNER }}/{{ .PROJECT }}/cmd/syft/internal/test | tr '\n' ' '"
      # unit test coverage threshold (in % coverage)
      COVERAGE_THRESHOLD: 62
    cmds:
      - task: clean-test-observations
      - "go test -coverprofile {{ .TMP_DIR }}/unit-coverage-details.txt {{ .TEST_PKGS }}"
      - cmd: ".github/scripts/coverage.py {{ .COVERAGE_THRESHOLD }} {{ .TMP_DIR }}/unit-coverage-details.txt"
        silent: true
  integration:
    desc: Run integration tests
    cmds:
      - "go test -v ./cmd/syft/internal/test/integration"
      # exercise most of the CLI with the data race detector
      # we use a larger image to ensure we're using multiple catalogers at a time
      - "go run -race cmd/syft/main.go anchore/test_images:grype-quality-dotnet-69f15d2"
  validate-cyclonedx-schema:
    desc: Validate that Syft produces valid CycloneDX documents
    cmds:
      - "cd schema/cyclonedx && make"
  cli:
    desc: Run CLI tests
    deps: [tools]
    cmds:
      - cmd: "echo 'testing binary: {{ .SNAPSHOT_BIN }}'"
        silent: true
      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
        silent: true
      - "go test -count=1 -timeout=15m -v ./test/cli"
    env:
      SYFT_BINARY_LOCATION: "{{ .SNAPSHOT_BIN }}"
  test-utils:
    desc: Run tests for pipeline utils
    cmds:
      - cmd: .github/scripts/labeler_test.py
  snapshot-smoke-test:
    desc: Run a smoke test on the snapshot builds + docker images
    cmds:
      - cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
        silent: true
      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
        silent: true
      - "{{ .SNAPSHOT_BIN }} version"
      - "{{ .SNAPSHOT_BIN }} scan alpine:latest"
      - docker run --rm anchore/syft:latest version
      - docker run --rm anchore/syft:latest scan alpine:latest
-  ## Test-fixture-related targets #################################
+  ## Test-fixture-related targets ###########################################
  fingerprints:
-    desc: Generate fingerprints for all non-docker test fixture
+    desc: Generate fingerprints for all non-docker test fixtures
    silent: true
    # this will look for `testdata/Makefile` and invoke the `fingerprint` target to calculate all cache input fingerprint files
    generates:
@ -281,16 +150,10 @@ tasks:
        echo -e "${YELLOW}creating fingerprint files for non-docker fixtures...${RESET}"
        for dir in $(find . -type d -name 'testdata'); do
          if [ -f "$dir/Makefile" ]; then
            # for debugging...
            #echo -e "${YELLOW}• calculating fingerprints in $dir... ${RESET}"
            (make -C "$dir" fingerprint)
          fi
        done
        # for debugging...
        # echo -e "generated all fixture fingerprints"
      - .github/scripts/fingerprint_docker_fixtures.py
      - |
        # if DOWNLOAD_TEST_FIXTURE_CACHE is set to 'false', then we don't need to calculate the fingerprint for the cache
@ -432,6 +295,7 @@ tasks:
      eval $oras_command
  show-test-image-cache:
    desc: Print the on-disk + docker daemon state of the stereoscope fixture image cache
    silent: true
    cmds:
      - "echo 'Docker daemon cache:'"
@ -452,28 +316,36 @@ tasks:
        exit 1
      fi
-  ## install.sh testing targets #################################
+  ## install.sh testing targets #############################################
  install-test:
    desc: Run install.sh test suite (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make"
  install-test-cache-save:
    desc: Save the install.sh test image cache (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make save"
  install-test-cache-load:
    desc: Load the install.sh test image cache (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make load"
  install-test-ci-mac:
    desc: Run install.sh CI test suite on macOS (delegates to test/install/Makefile)
    cmds:
      - "cd test/install && make ci-test-mac"
  ## Compare-test targets ###################################################
  generate-compare-file:
    desc: Generate the acceptance comparison reference JSON for the current compare image
    cmd: "go run ./cmd/syft {{ .COMPARE_TEST_IMAGE }} -o json > {{ .COMPARE_DIR }}/testdata/acceptance-{{ .COMPARE_TEST_IMAGE }}.json"
  compare-mac:
    desc: Run macOS install + acceptance comparison against the snapshot build
    deps: [tmpdir]
    cmd: |
      {{ .COMPARE_DIR }}/mac.sh \
@ -483,11 +355,13 @@ tasks:
        {{ .TMP_DIR }}
  compare-linux:
    desc: Run Linux install + acceptance comparison (deb + rpm) against the snapshot build
    cmds:
      - task: compare-test-deb-package-install
      - task: compare-test-rpm-package-install
  compare-test-deb-package-install:
    desc: Run Linux .deb install + acceptance comparison against the snapshot build
    deps: [tmpdir]
    cmd: |
      {{ .COMPARE_DIR }}/deb.sh \
@ -497,6 +371,7 @@ tasks:
        {{ .TMP_DIR }}
  compare-test-rpm-package-install:
    desc: Run Linux .rpm install + acceptance comparison against the snapshot build
    deps: [tmpdir]
    cmd: |
      {{ .COMPARE_DIR }}/rpm.sh \
@ -506,7 +381,7 @@ tasks:
        {{ .TMP_DIR }}
-  ## Code and data generation targets #################################
+  ## Code and data generation targets ######################################
  generate:
    desc: Add data generation tasks
@ -556,104 +431,7 @@ tasks:
      - "SYFT_ENABLE_COMPLETENESS_TESTS=true go test -p 1 ./internal/capabilities/... -count=1"
-  ## Build-related targets #################################
+  ## Cleanup targets ########################################################
  build:
    desc: Build the project
    deps: [tools, tmpdir]
    generates:
      - "{{ .PROJECT }}"
    cmds:
      - silent: true
        cmd: |
          echo "dist: {{ .SNAPSHOT_DIR }}" > {{ .TMP_DIR }}/goreleaser.yaml
          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
      - "{{ .BUILD_CMD }}"
  snapshot:
    desc: Create a snapshot release
    aliases:
      - build
    deps: [tools, tmpdir]
    sources:
      - cmd/**/*.go
      - syft/**/*.go
      - internal/**/*.go
    method: checksum
    generates:
      - "{{ .SNAPSHOT_BIN }}"
    cmds:
      - silent: true
        cmd: |
          echo "dist: {{ .SNAPSHOT_DIR }}" > {{ .TMP_DIR }}/goreleaser.yaml
          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
      - "{{ .SNAPSHOT_CMD }}"
  snapshot-smoke-test:
    desc: Run a smoke test on the snapshot builds + docker images
    cmds:
      - cmd: "echo 'testing snapshot binary: {{ .SNAPSHOT_BIN }}'"
        silent: true
      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
        silent: true
      - "{{ .SNAPSHOT_BIN }} version"
      - "{{ .SNAPSHOT_BIN }} scan alpine:latest"
      - docker run --rm anchore/syft:latest version
      - docker run --rm anchore/syft:latest scan alpine:latest
  changelog:
    desc: Generate a changelog
    deps: [tools]
    generates:
      - "{{ .CHANGELOG }}"
      - "{{ .NEXT_VERSION }}"
    cmds:
      - "{{ .TOOL_DIR }}/chronicle -vv -n --version-file {{ .NEXT_VERSION }} > {{ .CHANGELOG }}"
      - "{{ .TOOL_DIR }}/glow -w 0 {{ .CHANGELOG }}"
  ## Release targets #################################
  release:
    desc: Create a release
    interactive: true
    deps: [tools]
    cmds:
      - cmd: .github/scripts/trigger-release.sh
        silent: true
  ## CI-only targets #################################
  ci-check:
    # desc: "[CI only] Are you in CI?"
    cmds:
      - cmd: .github/scripts/ci-check.sh
        silent: true
  ci-release:
    # desc: "[CI only] Create a release"
    deps: [tools]
    cmds:
      - task: ci-check
      - "{{ .TOOL_DIR }}/chronicle -vvv > CHANGELOG.md"
      - cmd: "cat CHANGELOG.md"
        silent: true
      - "{{ .RELEASE_CMD }}"
  ## Cleanup targets #################################
  clean:
    desc: Remove all cache files and old builds
    cmds:
      - task: clean-snapshot
      - task: clean-cache
      - task: clean-test-observations
      - task: clean-docker-cache
      - task: clean-oras-cache
  clean-snapshot:
    desc: Remove any snapshot builds
@ -675,6 +453,7 @@ tasks:
    desc: Remove all image docker tar cache, images from the docker daemon, and ephemeral test fixtures
    cmds:
      - task: clean-docker-cache
      - task: prune-orphan-fingerprints
      - |
        BOLD='\033[1m'
        YELLOW='\033[0;33m'
@ -690,6 +469,12 @@ tasks:
        echo -e "${BOLD}Deleted all ephemeral test fixtures${RESET}"
      - rm -f {{ .LAST_CACHE_PULL_FILE }} {{ .CACHE_PATHS_FILE }}
  prune-orphan-fingerprints:
    desc: Remove *.fingerprint files left behind by moved/deleted catalogers
    silent: true
    cmds:
      - .github/scripts/prune_orphan_fingerprints.py
  clean-test-observations:
    desc: Remove all test observations (i.e. testdata/test-observations.json)
    cmds:
--- a/go.mod
+++ b/go.mod
@ -1,11 +1,11 @@
 module github.com/anchore/syft
-go 1.25.8
+go 1.26.3
 require (
 	github.com/BurntSushi/toml v1.6.0
-	github.com/CycloneDX/cyclonedx-go v0.10.0
+	github.com/CycloneDX/cyclonedx-go v0.11.0
-	github.com/Masterminds/semver/v3 v3.4.0
+	github.com/Masterminds/semver/v3 v3.5.0
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/OneOfOne/xxhash v1.2.8
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
@ -22,7 +22,7 @@ require (
 	github.com/anchore/go-sync v0.1.0
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
 	github.com/anchore/packageurl-go v0.2.0
-	github.com/anchore/stereoscope v0.1.23
+	github.com/anchore/stereoscope v0.2.1
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef
@ -34,34 +34,35 @@ require (
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/dave/jennifer v1.7.1
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
-	github.com/diskfs/go-diskfs v1.7.0
+	github.com/diskfs/go-diskfs v1.9.3
 	github.com/distribution/reference v0.6.0
 	github.com/dustin/go-humanize v1.0.1
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5
-	github.com/github/go-spdx/v2 v2.4.0
+	github.com/github/go-spdx/v2 v2.7.0
-	github.com/gkampitakis/go-snaps v0.5.21
+	github.com/gkampitakis/go-snaps v0.5.22
-	github.com/go-git/go-billy/v5 v5.8.0
+	github.com/go-git/go-billy/v5 v5.9.0
-	github.com/go-git/go-git/v5 v5.18.0
+	github.com/go-git/go-git/v5 v5.19.1
 	github.com/go-test/deep v1.1.1
 	github.com/go-viper/mapstructure/v2 v2.5.0
 	github.com/goccy/go-yaml v1.19.2
 	github.com/gohugoio/hashstructure v0.6.0
 	github.com/google/go-cmp v0.7.0
-	github.com/google/go-containerregistry v0.21.5
+	github.com/google/go-containerregistry v0.21.6
 	github.com/google/licensecheck v0.3.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/color v1.6.0
+	github.com/gookit/color v1.6.1
-	github.com/gpustack/gguf-parser-go v0.24.0
+	github.com/gpustack/gguf-parser-go v0.24.1
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-getter v1.8.6
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/hcl/v2 v2.24.0
 	github.com/iancoleman/strcase v0.3.0
-	github.com/invopop/jsonschema v0.13.0
+	github.com/invopop/jsonschema v0.14.0
-	github.com/jedib0t/go-pretty/v6 v6.7.8
+	github.com/jedib0t/go-pretty/v6 v6.7.10
 	github.com/jinzhu/copier v0.4.0
 	github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953
 	github.com/klauspost/compress v1.18.6
 	github.com/magiconair/properties v1.8.10
 	github.com/mholt/archives v0.1.5
 	github.com/moby/sys/mountinfo v0.7.2
@ -87,18 +88,22 @@ require (
 	github.com/vifraa/gopom v1.0.0
 	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651
 	github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0
 	github.com/wk8/go-ordered-map/v2 v2.1.8
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1
 	go.uber.org/goleak v1.3.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
-	golang.org/x/mod v0.35.0
+	golang.org/x/mod v0.36.0
-	golang.org/x/net v0.53.0
+	golang.org/x/net v0.55.0
 	golang.org/x/time v0.15.0
-	golang.org/x/tools v0.44.0
+	golang.org/x/tools v0.45.0
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/sqlite v1.46.2
+	modernc.org/sqlite v1.51.0
 )
 require (
 	github.com/pb33f/ordered-map/v2 v2.3.1
 	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd
 )
 require (
@ -110,15 +115,14 @@ require (
 	cloud.google.com/go/iam v1.5.3 // indirect
 	cloud.google.com/go/monitoring v1.24.3 // indirect
 	cloud.google.com/go/storage v1.61.3 // indirect
 	cyphar.com/go-pathrs v0.2.1 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/DataDog/zstd v1.5.5 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29 // indirect
-	github.com/Microsoft/hcsshim v0.14.0-rc.1 // indirect
+	github.com/Microsoft/hcsshim v0.15.0-rc.1 // indirect
 	github.com/ProtonMail/go-crypto v1.4.0 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/agext/levenshtein v1.2.1 // indirect
@ -164,24 +168,23 @@ require (
 	github.com/clipperhouse/uax29/v2 v2.6.0 // indirect
 	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
-	github.com/containerd/cgroups/v3 v3.1.2 // indirect
+	github.com/containerd/cgroups/v3 v3.1.3 // indirect
-	github.com/containerd/containerd/api v1.10.0 // indirect
+	github.com/containerd/containerd/api v1.11.1 // indirect
-	github.com/containerd/containerd/v2 v2.2.2 // indirect
+	github.com/containerd/containerd/v2 v2.3.1 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/continuity v0.5.0 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.4 // indirect
-	github.com/containerd/plugin v1.0.0 // indirect
+	github.com/containerd/plugin v1.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
+	github.com/containerd/ttrpc v1.2.8 // indirect
 	github.com/containerd/ttrpc v1.2.7 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.6.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/docker/cli v29.4.0+incompatible // indirect
+	github.com/docker/cli v29.4.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.5 // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-connections v0.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@ -193,7 +196,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
-	github.com/gkampitakis/ciinfo v0.3.2 // indirect
+	github.com/gkampitakis/ciinfo v0.3.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@ -215,13 +218,12 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.5 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/maruel/natural v1.3.0 // indirect
 	github.com/maruel/natural v1.1.1 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.2-0.20220822084749-2491eb6c1c75 // indirect
@ -235,8 +237,8 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/moby/api v1.54.1 // indirect
+	github.com/moby/moby/api v1.54.2 // indirect
-	github.com/moby/moby/client v0.4.0 // indirect
+	github.com/moby/moby/client v0.4.1 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.1 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect
@ -253,14 +255,13 @@ require (
 	github.com/olekukonko/ll v0.1.6 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-spec v1.3.0 // indirect
 	github.com/opencontainers/selinux v1.13.1 // indirect
 	github.com/pborman/indent v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pelletier/go-toml/v2 v2.3.1 // indirect
-	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pierrec/lz4/v4 v4.1.26 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
-	github.com/pkg/xattr v0.4.9 // indirect
+	github.com/pkg/xattr v0.4.12 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
@ -283,11 +284,10 @@ require (
 	github.com/sylabs/sif/v2 v2.24.0 // indirect
 	github.com/sylabs/squashfs v1.0.6 // indirect
 	github.com/therootcompany/xz v1.0.1 // indirect
-	github.com/tidwall/gjson v1.18.0 // indirect
+	github.com/tidwall/gjson v1.19.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
 	github.com/vbatts/tar-split v0.12.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@ -297,30 +297,31 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
 	go.opentelemetry.io/otel v1.43.0 // indirect
 	go.opentelemetry.io/otel/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.2 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
+	golang.org/x/crypto v0.52.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
-	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
-	gonum.org/v1/gonum v0.16.0 // indirect
+	gonum.org/v1/gonum v0.17.0 // indirect
 	google.golang.org/api v0.271.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
-	google.golang.org/grpc v1.79.3 // indirect
+	google.golang.org/grpc v1.80.0 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	modernc.org/libc v1.70.0 // indirect
+	modernc.org/libc v1.72.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -67,8 +67,6 @@ cloud.google.com/go/storage v1.61.3 h1:VS//ZfBuPGDvakfD9xyPW1RGF1Vy3BWUoVZXgW1KM
 cloud.google.com/go/storage v1.61.3/go.mod h1:JtqK8BBB7TWv0HVGHubtUdzYYrakOQIsMLffZ2Z/HWk=
 cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=
 cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=
 cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
 cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
@ -79,13 +77,13 @@ github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=
+github.com/CycloneDX/cyclonedx-go v0.11.0 h1:GokP8FiRC+foiuwWhSSLpSD5H4hSWtGnR3wo7apkBFI=
-github.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
+github.com/CycloneDX/cyclonedx-go v0.11.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
 github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 h1:UnDZ/zFfG1JhH/DqxIZYU/1CUAlTUScoXD/LcM2Ykk8=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0/go.mod h1:IA1C1U7jO/ENqm/vhi7V9YYpBsp+IMyqNrEN94N7tVc=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0 h1:7t/qx5Ost0s0wbA/VDrByOooURhp+ikYwv20i9Y07TQ=
@ -94,15 +92,15 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapp
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.5.0 h1:kQceYJfbupGfZOKZQg0kou0DgAKhzDg2NZPAwZ/2OOE=
-github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.5.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29 h1:0kQAzHq8vLs7Pptv+7TxjdETLf/nIqJpIB4oC6Ba4vY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Microsoft/go-winio v0.6.3-0.20251027160822-ad3df93bed29/go.mod h1:ZWa7ssZJT30CCDGJ7fk/2SBTq9BIQrrVjrcss0UW2s0=
-github.com/Microsoft/hcsshim v0.14.0-rc.1 h1:qAPXKwGOkVn8LlqgBN8GS0bxZ83hOJpcjxzmlQKxKsQ=
+github.com/Microsoft/hcsshim v0.15.0-rc.1 h1:FbbwtQmiD+BVHynGkx5S65JkLyhkEiiTP8nrpmg2SZw=
-github.com/Microsoft/hcsshim v0.14.0-rc.1/go.mod h1:hTKFGbnDtQb1wHiOWv4v0eN+7boSWAHyK/tNAaYZL0c=
+github.com/Microsoft/hcsshim v0.15.0-rc.1/go.mod h1:HWvvUPIy9HF6LotILj1G4VyS065rcLQ6tqj6tMUdOfI=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
@ -148,8 +146,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/packageurl-go v0.2.0 h1:CkrM4RMUwrEGAiE1OVlxaZNzWj0TuHRey7o4T/EAErk=
 github.com/anchore/packageurl-go v0.2.0/go.mod h1:2JCgOQMIsqZ7TmliXG4PnUthPJAKE3mWQbsW2XHjAOE=
-github.com/anchore/stereoscope v0.1.23 h1:q9i3CtbicTuSlcCnA+5pfoT9WDCEoSqvXDfHMH1hyWo=
+github.com/anchore/stereoscope v0.2.1 h1:x9c4LCPGh53tKDAQ22RqEUftEnL7tphJavSRke/aICE=
-github.com/anchore/stereoscope v0.1.23/go.mod h1:JLnun49fkLkuv3ebU0ROvFl/0JiRmNmUtCzc6y4ollo=
+github.com/anchore/stereoscope v0.2.1/go.mod h1:PYx3fD4lvBVsYoQ/fBdauhZ5hmkRrJgw1B73svKx7/U=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
@ -294,14 +292,14 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
 github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
-github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8EhrHa4=
+github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6dyLYXQ=
-github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
+github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
-github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o=
+github.com/containerd/containerd/api v1.11.1 h1:h8nfoDW9+fNsC/9TwiAHj8B1GzXKtR4eFtkhi/X5RLU=
-github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM=
+github.com/containerd/containerd/api v1.11.1/go.mod h1:CaQFRu+N1MtbgL6JDOJLUB1hCKESU1lD6MuTJhgtdlw=
-github.com/containerd/containerd/v2 v2.2.2 h1:mjVQdtfryzT7lOqs5EYUFZm8ioPVjOpkSoG1GJPxEMY=
+github.com/containerd/containerd/v2 v2.3.1 h1:4dVXBdlvotRBlaP2TmNbY/EGc06KJrMDDUqQdxX/HOk=
-github.com/containerd/containerd/v2 v2.2.2/go.mod h1:5Jhevmv6/2J+Iu/A2xXAdUIdI5Ah/hfyO7okJ4AFIdY=
+github.com/containerd/containerd/v2 v2.3.1/go.mod h1:xVoxGPWZBwwph8DF2IbDhriLKdHfjdpO0b3wFP9wQ1I=
-github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
+github.com/containerd/continuity v0.5.0 h1:7a85HZpCSs+1Zps0Ee3DPSuAWY+0SJM1JNM51nlEVDg=
-github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/continuity v0.5.0/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@ -312,12 +310,10 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v1.0.0-rc.4 h1:M42JrUT4zfZTqtkUwkr0GzmUWbfyO5VO0Q5b3op97T4=
 github.com/containerd/platforms v1.0.0-rc.4/go.mod h1:lKlMXyLybmBedS/JJm11uDofzI8L2v0J2ZbYvNsbq1A=
-github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
+github.com/containerd/plugin v1.1.0 h1:O+7lczNJVMy8rz0YNx3xGB8tTf5qY4i5abF041Ew19U=
-github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
+github.com/containerd/plugin v1.1.0/go.mod h1:qBTum+A8lJ6lO44A19Eo7y1OlcLj4OWFH1DA/vnHmcc=
-github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz2iQ4MrckBxJjkmD16ynUTrw=
+github.com/containerd/ttrpc v1.2.8 h1:xbVu6D4qF2jihdh9rDVOKqUMiFBQk6YctTdo1zk087Y=
-github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=
+github.com/containerd/ttrpc v1.2.8/go.mod h1:wyZW2K79t4Hfcxl+GUvkZqRBzJlqFFvgEeeWXa42tyE=
 github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
 github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
 github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
 github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@ -325,8 +321,8 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
-github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/dave/jennifer v1.7.1 h1:B4jJJDHelWcDhlRQxWeo0Npa/pYKBLrirAQoTN45txo=
 github.com/dave/jennifer v1.7.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -337,18 +333,18 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
 github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
-github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
+github.com/diskfs/go-diskfs v1.9.3 h1:cLciNCeZ4QAXVxyPJDr1ZJ9N9CCG3rQlQ/z/Cs/cNDM=
-github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
+github.com/diskfs/go-diskfs v1.9.3/go.mod h1:TePJORO83Adh5pb2SqsxAwaP0fofFxKLkxctiS/9OQc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v29.4.0+incompatible h1:+IjXULMetlvWJiuSI0Nbor36lcJ5BTcVpUmB21KBoVM=
+github.com/docker/cli v29.4.3+incompatible h1:u+UliYm2J/rYrIh2FqHQg32neRG8GjbvNuwQRTzGspU=
-github.com/docker/cli v29.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.4.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
 github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
@ -360,8 +356,8 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/elliotchance/phpserialize v1.4.0 h1:cAp/9+KSnEbUC8oYCE32n2n84BeW8HOY3HMDI8hG2OY=
 github.com/elliotchance/phpserialize v1.4.0/go.mod h1:gt7XX9+ETUcLXbtTKEuyrqW3lcLUAeS/AnGZ2e49TZs=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
+github.com/elliotwutingfeng/asciiset v0.0.0-20260129054604-cfde2086bc57 h1:x5yxNrq8XffV/OoNUeFPM6hxHVi5OTspSTBxr/9pemg=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/elliotwutingfeng/asciiset v0.0.0-20260129054604-cfde2086bc57/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@ -385,6 +381,8 @@ github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg
 github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/erofs/go-erofs v0.3.0 h1:o/W5ABAA3sHYl97WL93dacKEfeDpJhdFf3c2snAti7I=
 github.com/erofs/go-erofs v0.3.0/go.mod h1:XkSeN9MHszGd4+3gcEjadJLYHCQpWzJ7/8yznzMuzJs=
 github.com/facebookincubator/flog v0.0.0-20190930132826-d2511d0ce33c/go.mod h1:QGzNH9ujQ2ZUr/CjDGZGWeDAVStrWNjHeEcjJL96Nuk=
 github.com/facebookincubator/nvdtools v0.1.5 h1:jbmDT1nd6+k+rlvKhnkgMokrCAzHoASWE5LtHbX2qFQ=
 github.com/facebookincubator/nvdtools v0.1.5/go.mod h1:Kh55SAWnjckS96TBSrXI99KrEKH4iB0OJby3N8GRJO4=
@ -408,24 +406,24 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/github/go-spdx/v2 v2.4.0 h1:+4IwVwJJbm3rzvrQ6P1nI9BDMcy3la4RchRy5uehV/M=
+github.com/github/go-spdx/v2 v2.7.0 h1:GzfXx4wFdlilARxmFRXW/mgUy3A4vSqZocCMFV6XFdQ=
-github.com/github/go-spdx/v2 v2.4.0/go.mod h1:/5rwgS0txhGtRdUZwc02bTglzg6HK3FfuEbECKlK2Sg=
+github.com/github/go-spdx/v2 v2.7.0/go.mod h1:Ftc45YYG1WzpzwEPKRVm9Jv8vDqOrN4gWoCkK+bHer0=
-github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
+github.com/gkampitakis/ciinfo v0.3.4 h1:5eBSibVuSMbb/H6Elc0IIEFbkzCJi3lm94n0+U7Z0KY=
-github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/ciinfo v0.3.4/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
-github.com/gkampitakis/go-snaps v0.5.21 h1:SvhSFeZviQXwlT+dnGyAIATVehkhqRVW6qfQZhCZH+Y=
+github.com/gkampitakis/go-snaps v0.5.22 h1:xg9omphRnbDnimMCl1KqznC4krlxOGpkB0vDSfX2P7M=
-github.com/gkampitakis/go-snaps v0.5.21/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=
+github.com/gkampitakis/go-snaps v0.5.22/go.mod h1:uy3lVzCCRRsAwYqSocyw5fY8xRLCYEfqoOJNxr8HonM=
 github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
 github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
+github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
-github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@ -511,8 +509,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-containerregistry v0.21.5 h1:KTJG9Pn/jC0VdZR6ctV3/jcN+q6/Iqlx0sTVz3ywZlM=
+github.com/google/go-containerregistry v0.21.6 h1:T+yqQIlJXKrM98Om4DlW3GoWQAmhZuLMwoDOvVrtiUM=
-github.com/google/go-containerregistry v0.21.5/go.mod h1:ySvMuiWg+dOsRW0Hw8GYwfMwBlNRTmpYBFJPlkco5zU=
+github.com/google/go-containerregistry v0.21.6/go.mod h1:U7MMSBIJynke2MVQrQk19NP9k/uQsGz/h0amIFSHMbo=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/licensecheck v0.3.1 h1:QoxgoDkaeC4nFrtGN1jV7IPmDCHFNIVh54e5hSt6sPs=
 github.com/google/licensecheck v0.3.1/go.mod h1:ORkR35t/JjW+emNKtfJDII0zlciG9JgbT7SmsohlHmY=
@ -558,10 +556,10 @@ github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOID
 github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0=
 github.com/gookit/assert v0.1.1/go.mod h1:jS5bmIVQZTIwk42uXl4lyj4iaaxx32tqH16CFj0VX2E=
 github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg=
-github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA=
+github.com/gookit/color v1.6.1 h1:KoTnDxJPRgrL0SoX0f8rCFg2zI0t4E3GZZBMo2nN8LU=
-github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
+github.com/gookit/color v1.6.1/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
-github.com/gpustack/gguf-parser-go v0.24.0 h1:tdJceXYp9e5RhE9RwVYIuUpir72Jz2D68NEtDXkKCKc=
+github.com/gpustack/gguf-parser-go v0.24.1 h1:nTYtL8HFK6ZhB90RKBu4oX2b3ZHpJLrMmKRfL9w9Cyc=
-github.com/gpustack/gguf-parser-go v0.24.0/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
+github.com/gpustack/gguf-parser-go v0.24.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72 h1:vTCWu1wbdYo7PEZFem/rlr01+Un+wwVmI7wiegFdRLk=
 github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.72/go.mod h1:Vn+BBgKQHVQYdVQ4NZDICE1Brb+JfaONyDHr3q07oQc=
@ -622,12 +620,12 @@ github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
+github.com/invopop/jsonschema v0.14.0 h1:MHQqLhvpNUZfw+hM3AZDYK7jxO8FZoQeQM77g8iyZjg=
-github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
+github.com/invopop/jsonschema v0.14.0/go.mod h1:ygm6C2EaVNMBDPpaPlnOA2pFAxBnxGjFlMZABxm9n2I=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o=
+github.com/jedib0t/go-pretty/v6 v6.7.10 h1:B/2qW2Bkv2L6n14PP8o1kx75kWzHOQ3YTluWzg9icac=
-github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
+github.com/jedib0t/go-pretty/v6 v6.7.10/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@ -646,9 +644,11 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
-github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@ -671,10 +671,9 @@ github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc8
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
+github.com/maruel/natural v1.3.0 h1:VsmCsBmEyrR46RomtgHs5hbKADGRVtliHTyCOLFBpsg=
-github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/maruel/natural v1.3.0/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@ -723,10 +722,10 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/moby/api v1.54.1 h1:TqVzuJkOLsgLDDwNLmYqACUuTehOHRGKiPhvH8V3Nn4=
+github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
-github.com/moby/moby/api v1.54.1/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
+github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
-github.com/moby/moby/client v0.4.0 h1:S+2XegzHQrrvTCvF6s5HFzcrywWQmuVnhOXe2kiWjIw=
+github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
-github.com/moby/moby/client v0.4.0/go.mod h1:QWPbvWchQbxBNdaLSpoKpCdf5E+WxFAgNHogCWDoa7g=
+github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
@ -776,22 +775,22 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
 github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pb33f/ordered-map/v2 v2.3.1 h1:5319HDO0aw4DA4gzi+zv4FXU9UlSs3xGZ40wcP1nBjY=
 github.com/pb33f/ordered-map/v2 v2.3.1/go.mod h1:qxFQgd0PkVUtOMCkTapqotNgzRhMPL7VvaHKbd1HnmQ=
 github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM=
 github.com/pborman/indent v1.2.1/go.mod h1:FitS+t35kIYtB5xWTZAPhnmrxcciEEOdbyrrpz5K6Vw=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.3.1 h1:MYEvvGnQjeNkRF1qUuGolNtNExTDwct51yp7olPtrEc=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.3.1/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
+github.com/pierrec/lz4/v4 v4.1.26 h1:GrpZw1gZttORinvzBdXPUXATeqlJjqUG/D87TKMnhjY=
-github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.26/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
-github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
-github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -800,8 +799,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.12 h1:rRTkSyFNTRElv6pkA3zpjHpQ90p/OdHQC1GmGh1aTjM=
-github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
+github.com/pkg/xattr v0.4.12/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@ -822,8 +821,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuMRoVWSkXC4uvY=
 github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
@ -925,13 +924,15 @@ github.com/sylabs/sif/v2 v2.24.0 h1:1wB5uMDUQYjk8AckTySaDcP9YnpMb1LyDRr1Jt9A10w=
 github.com/sylabs/sif/v2 v2.24.0/go.mod h1:DbXWqWZ1hdLSU+K9ipdds5AmZeHWsyxCOj/oQakBa88=
 github.com/sylabs/squashfs v1.0.6 h1:PvJcDzxr+vIm2kH56mEMbaOzvGu79gK7P7IX+R7BDZI=
 github.com/sylabs/squashfs v1.0.6/go.mod h1:DlDeUawVXLWAsSRa085Eo0ZenGzAB32JdAUFaB0LZfE=
 github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd h1:Rf9uhF1+VJ7ZHqxrG8pJ6YacmHvVCmByDmGbAWCc/gA=
 github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slHPRKTTHT+XSHkepo=
 github.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
 github.com/therootcompany/xz v1.0.1 h1:CmOtsn1CbtmyYiusbfmhmkpAAETj0wBIH6kCYaX+xzw=
 github.com/therootcompany/xz v1.0.1/go.mod h1:3K3UH1yCKgBneZYhuQUvJ9HPD19UEXEI0BWbMn8qNMY=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.19.0 h1:xwxm7n691Uf3u5OFjzngavjGTh55KX5q/9w9xHW88JU=
-github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.19.0/go.mod h1:V37/opeE/JbLUOfH0QTXiNez2l0RUjYUhpT4szFQAfc=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
@ -945,16 +946,12 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vbatts/go-mtree v0.7.0 h1:ytmOc3MTRidZiBi9VBCyZ2BHe4fZS47L5v7BVXDWW4E=
 github.com/vbatts/go-mtree v0.7.0/go.mod h1:EjdpFC+LZy1TXbRGNa1MKKgjQ+7ew3foMFJK8o4/TdY=
 github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
 github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/vifraa/gopom v1.0.0 h1:L9XlKbyvid8PAIK8nr0lihMApJQg/12OBvMA28BcWh0=
 github.com/vifraa/gopom v1.0.0/go.mod h1:oPa1dcrGrtlO37WPDBm5SqHAT+wTgF8An1Q71Z6Vv4o=
 github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA=
 github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20=
 github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0 h1:EHsPe0Q0ANoLOZff1dBLAyeWLTA4sbPTpGI+2zb0FnM=
 github.com/wagoodman/go-progress v0.0.0-20260303201901-10176f79b2c0/go.mod h1:g/D9uEUFp5YLyciwCpVsSOZOm56hfv4rzGJod6MlqIM=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@ -998,10 +995,10 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
 go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 h1:0Qx7VGBacMm9ZENQ7TnNObTYI4ShC+lHI16seduaxZo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0/go.mod h1:Sje3i3MjSPKTSPvVWCaL8ugBzJwik3u4smCjUeuupqg=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
 go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
 go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3AVXy8F7pipuDXmDsrO8Lg+yQjBLjw0=
@ -1022,6 +1019,8 @@ go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9i
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 go.yaml.in/yaml/v4 v4.0.0-rc.2 h1:/FrI8D64VSr4HtGIlUtlFMGsm7H7pWTbj6vOLVZcA6s=
 go.yaml.in/yaml/v4 v4.0.0-rc.2/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 go4.org v0.0.0-20230225012048-214862532bf5 h1:nifaUDeh+rPaBCMPMQHZmvJf+QdpLFnuQPwx+LxVmtc=
 go4.org v0.0.0-20230225012048-214862532bf5/go.mod h1:F57wTi5Lrj6WLyswp5EYV1ncrEbFGHD4hhz6S1ZYeaU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@ -1036,8 +1035,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -1048,8 +1047,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@ -1077,8 +1076,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -1123,8 +1122,8 @@ golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -1232,13 +1231,13 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1249,8 +1248,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -1311,16 +1310,16 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@ -1427,10 +1426,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
 google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 h1:7ei4lp52gK1uSejlA8AZl5AJjeLUOHBQscRQZUgAcu0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
-google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20/go.mod h1:ZdbssH/1SOVnjnDlXzxDHK2MCidiqXtbYccJNzNYPEE=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d h1:wT2n40TBqFY6wiwazVK9/iTWbsQrgk5ZfCSVFLO9LQA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@ -1458,8 +1457,8 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@ -1474,8 +1473,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -1506,10 +1505,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
-modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@ -1518,18 +1517,18 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
-modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.46.2 h1:gkXQ6R0+AjxFC/fTDaeIVLbNLNrRoOK7YYVz5BKhTcE=
+modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
-modernc.org/sqlite v1.46.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/internal/capabilities/generate/merge.go
+++ b/internal/capabilities/generate/merge.go
@ -490,11 +490,15 @@ func (e *EnrichmentData) EnrichWithBinaryClassifier(catalogerName string, entry
 			}
 			for _, o := range binaryClassifierOverrides[classifier.Class] {
 				cpeStrings := make([]string, len(o.CPEs))
 				for i, c := range o.CPEs {
 					cpeStrings[i] = c.Attributes.BindToFmtString()
 				}
 				packages = append(packages, capabilities.DetectorPackageInfo{
 					Class: o.Class,
 					Name:  o.Package,
 					PURL:  stripPURLVersion(o.PURL),
-					CPEs:  o.CPEs,
+					CPEs:  cpeStrings,
 					Type:  "BinaryPkg",
 				})
 			}
--- a/internal/capabilities/generate/overrides.go
+++ b/internal/capabilities/generate/overrides.go
@ -10,7 +10,7 @@ type binaryClassifierOverride struct {
 	Class   string
 	Package string
 	PURL    string
-	CPEs    []string
+	CPEs    []cpe.CPE
 }
 var binaryClassifierOverrides = map[string][]binaryClassifierOverride{
@ -96,12 +96,61 @@ var binaryClassifierOverrides = map[string][]binaryClassifierOverride{
 			CPEs:    singleCPE("cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 	},
 	"openssl-binary": {
 		{
 			Class:   "openssl-binary-aws-lc",
 			Package: "aws-lc",
 			PURL:    mustPURL("pkg:generic/aws-lc@version"),
 			CPEs:    singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 		{
 			Class:   "openssl-binary",
 			Package: "openssl",
 			PURL:    mustPURL("pkg:generic/openssl@version"),
 			CPEs:    singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 	},
 	"mysqld-binary": {
 		{
 			Class:   "mysqld-mysql-cluster-legacy-binary",
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:   "mysqld-mysql-cluster-binary",
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:   "mysqld-mysql-server-binary",
 			Package: "mysql-server",
 			PURL:    mustPURL("pkg:generic/mysql-server@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 	},
 }
 func mustPURL(purl string) string {
 	return purl
 }
-func singleCPE(cpeString string, _ ...any) []string {
+func singleCPE(cpeString string, source ...cpe.Source) []cpe.CPE {
-	return []string{cpeString}
+	src := cpe.GeneratedSource
 	if len(source) > 0 {
 		src = source[0]
 	}
 	return []cpe.CPE{
 		cpe.Must(cpeString, src),
 	}
 }
--- a/internal/constants.go
+++ b/internal/constants.go
@ -3,12 +3,13 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.1.3"
+	JSONSchemaVersion = "16.1.4"
 	// Changelog
 	// 16.1.0 - reformulated the python pdm fields (added "URL" and removed the unused "path" field).
 	// 16.1.1 - correct elf package osCpe field according to the document of systemd (also add appCpe field)
 	// 16.1.2 - placeholder for 16.1.2 changelog
 	// 16.1.3 - add GGUFFileParts to GGUFFileHeader metadata
 	// 16.1.4 - add BunLockEntry metadata type for bun.lock support
 )
--- a/internal/file/squashfs.go
+++ b/internal/file/squashfs.go
@ -5,6 +5,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/diskfs/go-diskfs/filesystem"
 )
@ -14,8 +15,7 @@ type WalkDiskDirFunc func(fsys filesystem.FileSystem, path string, d os.FileInfo
 // WalkDiskDir walks the file tree within the go-diskfs filesystem at root, calling fn for each file or directory in the tree, including root.
 // This is meant to mimic the behavior of fs.WalkDir in the standard library.
 func WalkDiskDir(fsys filesystem.FileSystem, root string, fn WalkDiskDirFunc) error {
-	infos, err := fsys.ReadDir(root)
+	infos, err := readDiskDir(fsys, root)
 	if err != nil {
 		return err
 	}
@ -51,7 +51,7 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 	isDir := d != nil && d.IsDir()
 	if d == nil {
-		_, err := fsys.ReadDir(name)
+		_, err := readDiskDir(fsys, name)
 		if err != nil {
 			return nil
 		}
@ -62,7 +62,7 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 		return nil
 	}
-	dirs, err := fsys.ReadDir(name)
+	dirs, err := readDiskDir(fsys, name)
 	if err != nil {
 		err = walkDirFn(fsys, name, d, err)
 		if err != nil {
@ -87,3 +87,33 @@ func walkDiskDir(fsys filesystem.FileSystem, name string, d os.FileInfo, walkDir
 	}
 	return nil
 }
 // readDiskDir reads the directory entries at the given path from a go-diskfs filesystem.
 // go-diskfs returns fs.DirEntry values; these are resolved to os.FileInfo so callers have
 // access to the full file metadata (mode, size, modification time).
 func readDiskDir(fsys filesystem.FileSystem, p string) ([]os.FileInfo, error) {
 	entries, err := fsys.ReadDir(ToFSPath(p))
 	if err != nil {
 		return nil, err
 	}
 	infos := make([]os.FileInfo, 0, len(entries))
 	for _, entry := range entries {
 		info, err := entry.Info()
 		if err != nil {
 			return nil, err
 		}
 		infos = append(infos, info)
 	}
 	return infos, nil
 }
 // ToFSPath converts an absolute ("/"-rooted) path into an io/fs-valid path as required by
 // go-diskfs, where the root is "." and other paths carry no leading slash (see io/fs.ValidPath).
 func ToFSPath(p string) string {
 	p = strings.TrimPrefix(p, "/")
 	if p == "" {
 		return "."
 	}
 	return p
 }
--- a/internal/file/squashfs_test.go
+++ b/internal/file/squashfs_test.go
@ -43,10 +43,10 @@ func createTestFS(t *testing.T) filesystem.FileSystem {
 	for _, tf := range testFiles {
 		if tf.isDir {
-			err := fsys.Mkdir(tf.path)
+			err := fsys.Mkdir(ToFSPath(tf.path))
 			require.NoError(t, err)
 		} else {
-			f, err := fsys.OpenFile(tf.path, os.O_CREATE|os.O_RDWR)
+			f, err := fsys.OpenFile(ToFSPath(tf.path), os.O_CREATE|os.O_RDWR)
 			require.NoError(t, err)
 			_, err = f.Write([]byte(tf.content))
 			require.NoError(t, err)
--- a/internal/jsonschema/comments_test.go
+++ b/internal/jsonschema/comments_test.go
@ -6,9 +6,9 @@ import (
 	"testing"
 	"github.com/invopop/jsonschema"
 	orderedmap "github.com/pb33f/ordered-map/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	orderedmap "github.com/wk8/go-ordered-map/v2"
 )
 // TestCopyAliasFieldComments verifies that field comments from source types are correctly copied to alias types.
--- a/internal/packagemetadata/generated.go
+++ b/internal/packagemetadata/generated.go
@ -11,6 +11,7 @@ func AllTypes() []any {
 		pkg.ApkDBEntry{},
 		pkg.BinarySignature{},
 		pkg.BitnamiSBOMEntry{},
 		pkg.BunLockEntry{},
 		pkg.CocoaPodfileLockEntry{},
 		pkg.ConanV1LockEntry{},
 		pkg.ConanV2LockEntry{},
--- a/internal/packagemetadata/names.go
+++ b/internal/packagemetadata/names.go
@ -96,6 +96,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNames(pkg.NpmPackageLockEntry{}, "javascript-npm-package-lock-entry", "NpmPackageLockJsonMetadata"),
 	jsonNames(pkg.YarnLockEntry{}, "javascript-yarn-lock-entry", "YarnLockJsonMetadata"),
 	jsonNames(pkg.PnpmLockEntry{}, "javascript-pnpm-lock-entry"),
 	jsonNames(pkg.BunLockEntry{}, "javascript-bun-lock-entry"),
 	jsonNames(pkg.PEBinary{}, "pe-binary"),
 	jsonNames(pkg.PhpComposerLockEntry{}, "php-composer-lock-entry", "PhpComposerJsonMetadata"),
 	jsonNamesWithoutLookup(pkg.PhpComposerInstalledEntry{}, "php-composer-installed-entry", "PhpComposerJsonMetadata"), // the legacy value is split into two types, where the other is preferred
--- a/internal/task/package_tasks.go
+++ b/internal/task/package_tasks.go
@ -161,7 +161,7 @@ func DefaultPackageTaskFactories() Factories {
 			pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary",
 		),
 		newSimplePackageTaskFactory(binary.NewELFPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "elf-package", "elf"),
-		newSimplePackageTaskFactory(binary.NewPEPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "pe-package", "pe", "dll", "exe"),
+		newSimplePackageTaskFactory(binary.NewPEPackageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "binary", "pe-package", "pe", "dll", "exe", "bpl"),
 		newSimplePackageTaskFactory(githubactions.NewActionUsageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "github", "github-actions"),
 		newSimplePackageTaskFactory(githubactions.NewWorkflowUsageCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "github", "github-actions"),
 		newSimplePackageTaskFactory(java.NewJvmDistributionCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "java", "jvm", "jdk", "jre"),
--- a/schema/cyclonedx/cyclonedx.json
+++ b/schema/cyclonedx/cyclonedx.json
--- a/schema/cyclonedx/cyclonedx.xsd
+++ b/schema/cyclonedx/cyclonedx.xsd
--- a/schema/cyclonedx/spdx.schema.json
+++ b/schema/cyclonedx/spdx.schema.json
--- a/schema/cyclonedx/spdx.xsd
+++ b/schema/cyclonedx/spdx.xsd
@ -2,7 +2,7 @@
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
           elementFormDefault="qualified"
           targetNamespace="http://cyclonedx.org/schema/spdx"
-           version="1.0-3.27.0">
+           version="1.0-3.28.0">
    <xs:simpleType name="licenseId">
        <xs:restriction base="xs:string">
@ -57,6 +57,11 @@
                    <xs:documentation>Amazon Digital Services License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Advanced-Cryptics-Dictionary">
                <xs:annotation>
                    <xs:documentation>Advanced Cryptics Dictionary License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="AFL-1.1">
                <xs:annotation>
                    <xs:documentation>Academic Free License v1.1</xs:documentation>
@ -122,6 +127,11 @@
                    <xs:documentation>Aladdin Free Public License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="ALGLIB-Documentation">
                <xs:annotation>
                    <xs:documentation>ALGLIB Documentation License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="AMD-newlib">
                <xs:annotation>
                    <xs:documentation>AMD newlib License</xs:documentation>
@ -327,6 +337,11 @@
                    <xs:documentation>Boehm-Demers-Weiser GC License (without fee)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="BOLA-1.1">
                <xs:annotation>
                    <xs:documentation>Buena Onda License Agreement v1.1</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Borceux">
                <xs:annotation>
                    <xs:documentation>Borceux license</xs:documentation>
@ -457,6 +472,11 @@
                    <xs:documentation>BSD 3-Clause Sun Microsystems</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="BSD-3-Clause-Tso">
                <xs:annotation>
                    <xs:documentation>BSD 3-Clause Tso variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="BSD-4-Clause">
                <xs:annotation>
                    <xs:documentation>BSD 4-Clause &quot;Original&quot; or &quot;Old&quot; License</xs:documentation>
@ -497,6 +517,11 @@
                    <xs:documentation>BSD-Inferno-Nettverk</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="BSD-Mark-Modifications">
                <xs:annotation>
                    <xs:documentation>BSD Mark Modifications License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="BSD-Protection">
                <xs:annotation>
                    <xs:documentation>BSD Protection License</xs:documentation>
@ -527,6 +552,11 @@
                    <xs:documentation>Boost Software License 1.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Buddy">
                <xs:annotation>
                    <xs:documentation>Buddy License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="BUSL-1.1">
                <xs:annotation>
                    <xs:documentation>Business Source License 1.1</xs:documentation>
@ -567,6 +597,11 @@
                    <xs:documentation>Caldera License (without preamble)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="CAPEC-tou">
                <xs:annotation>
                    <xs:documentation>Common Attack    Pattern Enumeration and Classification License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Catharon">
                <xs:annotation>
                    <xs:documentation>Catharon License</xs:documentation>
@ -1212,6 +1247,21 @@
                    <xs:documentation>Erlang Public License v1.1</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="ESA-PL-permissive-2.4">
                <xs:annotation>
                    <xs:documentation>European Space Agency Public License – v2.4 – Permissive (Type 3)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="ESA-PL-strong-copyleft-2.4">
                <xs:annotation>
                    <xs:documentation>European Space Agency Public License (ESA-PL) - V2.4 - Strong Copyleft (Type 1)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="ESA-PL-weak-copyleft-2.4">
                <xs:annotation>
                    <xs:documentation>European Space Agency Public License – v2.4 – Weak Copyleft (Type 2)</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="etalab-2.0">
                <xs:annotation>
                    <xs:documentation>Etalab Open License 2.0</xs:documentation>
@ -1737,6 +1787,11 @@
                    <xs:documentation>Historical Permission Notice and Disclaimer - sell variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="HPND-sell-variant-critical-systems">
                <xs:annotation>
                    <xs:documentation>HPND - sell variant with safety critical systems clause</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="HPND-sell-variant-MIT-disclaimer">
                <xs:annotation>
                    <xs:documentation>HPND sell variant with MIT disclaimer</xs:documentation>
@ -1747,6 +1802,11 @@
                    <xs:documentation>HPND sell variant with MIT disclaimer - reverse</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="HPND-SMC">
                <xs:annotation>
                    <xs:documentation>Historical Permission Notice and Disclaimer - SMC variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="HPND-UC">
                <xs:annotation>
                    <xs:documentation>Historical Permission Notice and Disclaimer - University of California variant</xs:documentation>
@ -1762,6 +1822,11 @@
                    <xs:documentation>HTML Tidy License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="hyphen-bulgarian">
                <xs:annotation>
                    <xs:documentation>hyphen-bulgarian License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="IBM-pibs">
                <xs:annotation>
                    <xs:documentation>IBM PowerPC Initialization and Boot Software</xs:documentation>
@ -1852,6 +1917,11 @@
                    <xs:documentation>ISC Veillard variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="ISO-permission">
                <xs:annotation>
                    <xs:documentation>ISO permission notice</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Jam">
                <xs:annotation>
                    <xs:documentation>Jam License</xs:documentation>
@ -2237,6 +2307,11 @@
                    <xs:documentation>MIT Open Group variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="MIT-STK">
                <xs:annotation>
                    <xs:documentation>MIT-STK License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="MIT-testregex">
                <xs:annotation>
                    <xs:documentation>MIT testregex Variant</xs:documentation>
@ -2257,6 +2332,11 @@
                    <xs:documentation>MMIXware License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="MMPL-1.0.1">
                <xs:annotation>
                    <xs:documentation>Minecraft Mod Public License v1.0.1</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Motosoto">
                <xs:annotation>
                    <xs:documentation>Motosoto License</xs:documentation>
@ -2422,6 +2502,11 @@
                    <xs:documentation>NIST Public Domain Notice with license fallback</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="NIST-PD-TNT">
                <xs:annotation>
                    <xs:documentation>NIST    Public Domain Notice TNT variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="NIST-Software">
                <xs:annotation>
                    <xs:documentation>NIST Software License</xs:documentation>
@ -2687,6 +2772,11 @@
                    <xs:documentation>Open Market License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="OpenMDW-1.0">
                <xs:annotation>
                    <xs:documentation>OpenMDW License Agreement v1.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="OpenPBS-2.3">
                <xs:annotation>
                    <xs:documentation>OpenPBS v2.3 Software License</xs:documentation>
@ -2722,6 +2812,11 @@
                    <xs:documentation>Open Publication License v1.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="OSC-1.0">
                <xs:annotation>
                    <xs:documentation>OSC License 1.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="OSET-PL-2.1">
                <xs:annotation>
                    <xs:documentation>OSET Public License version 2.1</xs:documentation>
@ -2752,11 +2847,21 @@
                    <xs:documentation>Open Software License 3.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="OSSP">
                <xs:annotation>
                    <xs:documentation>OSSP License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="PADL">
                <xs:annotation>
                    <xs:documentation>PADL License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="ParaType-Free-Font-1.3">
                <xs:annotation>
                    <xs:documentation>ParaType Free Font Licensing Agreement v1.3</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Parity-6.0.0">
                <xs:annotation>
                    <xs:documentation>The Parity Public License 6.0.0</xs:documentation>
@ -2977,6 +3082,11 @@
                    <xs:documentation>SGI OpenGL License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="SGMLUG-PM">
                <xs:annotation>
                    <xs:documentation>SGMLUG Parser Materials License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="SGP4">
                <xs:annotation>
                    <xs:documentation>SGP4 Permission Notice</xs:documentation>
@ -3162,6 +3272,11 @@
                    <xs:documentation>TCP Wrappers License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="TekHVC">
                <xs:annotation>
                    <xs:documentation>TekHVC License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="TermReadKey">
                <xs:annotation>
                    <xs:documentation>TermReadKey License</xs:documentation>
@ -3297,6 +3412,11 @@
                    <xs:documentation>Unlicense - libwhirlpool variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="UnRAR">
                <xs:annotation>
                    <xs:documentation>UnRAR License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="UPL-1.0">
                <xs:annotation>
                    <xs:documentation>Universal Permissive License v1.0</xs:documentation>
@ -3312,6 +3432,11 @@
                    <xs:documentation>Vim License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Vixie-Cron">
                <xs:annotation>
                    <xs:documentation>Vixie Cron License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="VOSTROM">
                <xs:annotation>
                    <xs:documentation>VOSTROM Public License for Open Source</xs:documentation>
@ -3352,11 +3477,21 @@
                    <xs:documentation>Widget Workshop License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="WordNet">
                <xs:annotation>
                    <xs:documentation>WordNet License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Wsuipa">
                <xs:annotation>
                    <xs:documentation>Wsuipa License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="WTFNMFPL">
                <xs:annotation>
                    <xs:documentation>Do What The F*ck You Want To But It&apos;s Not My Fault Public License</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="WTFPL">
                <xs:annotation>
                    <xs:documentation>Do What The F*ck You Want To Public License</xs:documentation>
@ -3382,6 +3517,11 @@
                    <xs:documentation>X11 License Distribution Modification Variant</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="X11-no-permit-persons">
                <xs:annotation>
                    <xs:documentation>X11 no permit persons clause</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="X11-swapped">
                <xs:annotation>
                    <xs:documentation>X11 swapped final paragraphs</xs:documentation>
@ -3568,6 +3708,11 @@
                    <xs:documentation>Classpath exception 2.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Classpath-exception-2.0-short">
                <xs:annotation>
                    <xs:documentation>Classpath exception 2.0 - short</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="CLISP-exception-2.0">
                <xs:annotation>
                    <xs:documentation>CLISP exception 2.0</xs:documentation>
@ -3718,6 +3863,11 @@
                    <xs:documentation>KiCad Libraries Exception</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="kvirc-openssl-exception">
                <xs:annotation>
                    <xs:documentation>kvirc OpenSSL Exception</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="LGPL-3.0-linking-exception">
                <xs:annotation>
                    <xs:documentation>LGPL-3.0 Linking Exception</xs:documentation>
@ -3833,6 +3983,11 @@
                    <xs:documentation>RRDtool FLOSS exception 2.0</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="rsync-linking-exception">
                <xs:annotation>
                    <xs:documentation>rsync Linking Exception</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="SANE-exception">
                <xs:annotation>
                    <xs:documentation>SANE Exception</xs:documentation>
@ -3848,6 +4003,16 @@
                    <xs:documentation>Solderpad Hardware License v2.1</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="Simple-Library-Usage-exception">
                <xs:annotation>
                    <xs:documentation>Simple Library Usage Exception</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="sqlitestudio-OpenSSL-exception">
                <xs:annotation>
                    <xs:documentation>sqlitestudio OpenSSL exception</xs:documentation>
                </xs:annotation>
            </xs:enumeration>
            <xs:enumeration value="stunnel-exception">
                <xs:annotation>
                    <xs:documentation>stunnel Exception</xs:documentation>
--- a/schema/json/schema-16.1.4.json
+++ b/schema/json/schema-16.1.4.json
--- a/schema/json/schema-latest.json
+++ b/schema/json/schema-latest.json
@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.1.3/document",
+  "$id": "anchore.io/schema/syft/json/16.1.4/document",
  "$ref": "#/$defs/Document",
  "$defs": {
    "AlpmDbEntry": {
@ -1918,6 +1918,61 @@
      "type": "object",
      "description": "JavaVMRelease represents JVM version and build information extracted from the release file in a Java installation."
    },
    "JavascriptBunLockEntry": {
      "properties": {
        "integrity": {
          "type": "string",
          "description": "Integrity is Subresource Integrity hash for verification (SRI format)"
        },
        "dependencies": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "Dependencies is a map of runtime dependencies and their version specifiers"
        },
        "optionalDependencies": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "OptionalDependencies is a map of optional dependencies and their version specifiers"
        },
        "peerDependencies": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "PeerDependencies is a map of peer dependencies and their version specifiers"
        },
        "bin": {
          "additionalProperties": {
            "type": "string"
          },
          "type": "object",
          "description": "Bin is a map of binary names to the paths they are installed to"
        },
        "os": {
          "type": "string",
          "description": "OS is the operating system constraint for the package (e.g. \"darwin\")"
        },
        "cpu": {
          "type": "string",
          "description": "CPU is the CPU architecture constraint for the package (e.g. \"arm64\")"
        }
      },
      "type": "object",
      "required": [
        "integrity",
        "dependencies",
        "optionalDependencies",
        "peerDependencies",
        "bin",
        "os",
        "cpu"
      ],
      "description": "BunLockEntry represents a single entry in the \"packages\" section of a bun.lock file"
    },
    "JavascriptNpmPackage": {
      "properties": {
        "name": {
@ -2657,6 +2712,9 @@
            {
              "$ref": "#/$defs/JavaJvmInstallation"
            },
            {
              "$ref": "#/$defs/JavascriptBunLockEntry"
            },
            {
              "$ref": "#/$defs/JavascriptNpmPackage"
            },
--- a/syft/file/cataloger/executable/testdata/elf/Makefile
+++ b/syft/file/cataloger/executable/testdata/elf/Makefile
@ -15,14 +15,18 @@ fixtures: build verify
 # requirement 2: 'fingerprint' goal to determine if the fixture input that indicates any existing cache should be busted
 fingerprint: $(FINGERPRINT_FILE)
 tools-check:
 	@sha256sum -c Dockerfile.sha256 || (echo "Tools Dockerfile has changed" && exit 1)
 # for selfrando...
 # docker buildx build --platform linux/amd64 -t $(TOOL_IMAGE) .
 tools:
-	@(docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 && make tools-check) || (docker build -t $(TOOL_IMAGE) . && sha256sum Dockerfile > Dockerfile.sha256)
+	@if docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 \
 	   && test -f Dockerfile.sha256 \
 	   && sha256sum --quiet -c Dockerfile.sha256 2>/dev/null; then \
 	  : ; \
 	else \
 	  docker build -t $(TOOL_IMAGE) . \
 	  && sha256sum Dockerfile > Dockerfile.sha256; \
 	fi
 build: tools
 	mkdir -p $(BIN)
@ -46,4 +50,4 @@ $(FINGERPRINT_FILE):
 clean:
 	rm -rf $(BIN) Dockerfile.sha256 $(VERIFY_FILE) $(FINGERPRINT_FILE)
-.PHONY: tools tools-check build verify debug clean
+.PHONY: tools build verify debug clean
--- a/syft/file/cataloger/executable/testdata/shared-info/Makefile
+++ b/syft/file/cataloger/executable/testdata/shared-info/Makefile
@ -15,11 +15,15 @@ fixtures: build
 # requirement 2: 'fingerprint' goal to determine if the fixture input that indicates any existing cache should be busted
 fingerprint: $(FINGERPRINT_FILE)
 tools-check:
 	@sha256sum -c Dockerfile.sha256 || (echo "Tools Dockerfile has changed" && exit 1)
 tools:
-	@(docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 && make tools-check) || (docker build --platform linux/amd64 -t $(TOOL_IMAGE) . && sha256sum Dockerfile > Dockerfile.sha256)
+	@if docker image inspect $(TOOL_IMAGE) > /dev/null 2>&1 \
 	   && test -f Dockerfile.sha256 \
 	   && sha256sum --quiet -c Dockerfile.sha256 2>/dev/null; then \
 	  : ; \
 	else \
 	  docker build --platform linux/amd64 -t $(TOOL_IMAGE) . \
 	  && sha256sum Dockerfile > Dockerfile.sha256; \
 	fi
 build: tools
 	@mkdir -p $(BIN)
@ -38,4 +42,4 @@ $(FINGERPRINT_FILE):
 clean:
 	rm -rf $(BIN) Dockerfile.sha256 $(VERIFY_FILE) $(FINGERPRINT_FILE)
-.PHONY: tools tools-check build debug clean
+.PHONY: tools build debug clean
--- a/syft/format/cyclonedxjson/testdata/identify/1.7.json
+++ b/syft/format/cyclonedxjson/testdata/identify/1.7.json
@ -0,0 +1,59 @@
 {
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "serialNumber": "urn:uuid:5208fea9-73dd-4624-b596-69fddccdb9e7",
  "version": 1,
  "metadata": {
    "timestamp": "2023-09-29T12:02:02-04:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "[not provided]"
      }
    ],
    "component": {
      "bom-ref": "a0ff99a6af10f11f",
      "type": "file",
      "name": "go.mod",
      "version": "sha256:sha256:dc333f342905248a52e424d8dfd061251d01867d01a4f9d7397144a775ff9ebd"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651?package-id=2ff71a67fb024c86",
      "type": "library",
      "name": "github.com/wagoodman/go-partybus",
      "version": "v0.0.0-20230516145632-8ccac152c651",
      "cpe": "cpe:2.3:a:wagoodman:go-partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*",
      "purl": "pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "go-module-file-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "go"
        },
        {
          "name": "syft:package:metadataType",
          "value": "GolangModMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "go-module"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:wagoodman:go_partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/go.mod"
        }
      ]
    }
  ]
 }
--- a/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden
@ -1,7 +1,7 @@
 {
-  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.7",
  "serialNumber": "urn:uuid:redacted",
  "version": 1,
  "metadata": {
--- a/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxImageEncoder.golden
+++ b/syft/format/cyclonedxjson/testdata/snapshot/TestCycloneDxImageEncoder.golden
@ -1,7 +1,7 @@
 {
-  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.7",
  "serialNumber": "urn:uuid:redacted",
  "version": 1,
  "metadata": {
--- a/syft/format/cyclonedxxml/testdata/identify/1.7.xml
+++ b/syft/format/cyclonedxxml/testdata/identify/1.7.xml
@ -0,0 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.7" serialNumber="urn:uuid:098e8516-ecd5-4130-9d5f-c32ba1ddb0dd" version="1">
  <metadata>
    <timestamp>2023-09-29T11:48:10-04:00</timestamp>
    <tools>
      <tool>
        <vendor>anchore</vendor>
        <name>syft</name>
        <version>[not provided]</version>
      </tool>
    </tools>
    <component bom-ref="a0ff99a6af10f11f" type="file">
      <name>go.mod</name>
      <version>sha256:sha256:dc333f342905248a52e424d8dfd061251d01867d01a4f9d7397144a775ff9ebd</version>
    </component>
  </metadata>
  <components>
    <component bom-ref="pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651?package-id=2ff71a67fb024c86" type="library">
      <name>github.com/wagoodman/go-partybus</name>
      <version>v0.0.0-20230516145632-8ccac152c651</version>
      <cpe>cpe:2.3:a:wagoodman:go-partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*</cpe>
      <purl>pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651</purl>
      <properties>
        <property name="syft:package:foundBy">go-module-file-cataloger</property>
        <property name="syft:package:language">go</property>
        <property name="syft:package:metadataType">GolangModMetadata</property>
        <property name="syft:package:type">go-module</property>
        <property name="syft:cpe23">cpe:2.3:a:wagoodman:go_partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*</property>
        <property name="syft:location:0:path">/go.mod</property>
      </properties>
    </component>
  </components>
 </bom>
--- a/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxDirectoryEncoder.golden
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="redacted" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7" serialNumber="redacted" version="1">
  <metadata>
    <timestamp>redacted</timestamp>
    <tools>
--- a/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxImageEncoder.golden
+++ b/syft/format/cyclonedxxml/testdata/snapshot/TestCycloneDxImageEncoder.golden
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="redacted" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7" serialNumber="redacted" version="1">
  <metadata>
    <timestamp>redacted</timestamp>
    <tools>
--- a/syft/format/internal/cyclonedxutil/encoder.go
+++ b/syft/format/internal/cyclonedxutil/encoder.go
@ -9,8 +9,6 @@ import (
 	"github.com/anchore/syft/syft/sbom"
 )
 const DefaultVersion = "1.6"
 type Encoder struct {
 	version cyclonedx.SpecVersion
 	format  cyclonedx.BOMFileFormat
--- a/syft/format/internal/cyclonedxutil/versions.go
+++ b/syft/format/internal/cyclonedxutil/versions.go
@ -2,6 +2,10 @@ package cyclonedxutil
 import (
 	"fmt"
 	"maps"
 	"slices"
 	"strconv"
 	"strings"
 	"github.com/CycloneDX/cyclonedx-go"
@ -13,59 +17,81 @@ const (
 	JSONFormatID sbom.FormatID = "cyclonedx-json"
 )
 const DefaultVersion = "1.7"
 var commonVersions = map[string]cyclonedx.SpecVersion{
 	"1.2":          cyclonedx.SpecVersion1_2,
 	"1.3":          cyclonedx.SpecVersion1_3,
 	"1.4":          cyclonedx.SpecVersion1_4,
 	"1.5":          cyclonedx.SpecVersion1_5,
 	"1.6":          cyclonedx.SpecVersion1_6,
 	DefaultVersion: cyclonedx.SpecVersion1_7,
 }
 var allVersions = func() map[string]cyclonedx.SpecVersion {
 	out := map[string]cyclonedx.SpecVersion{
 		"1.0": cyclonedx.SpecVersion1_0,
 		"1.1": cyclonedx.SpecVersion1_1,
 	}
 	maps.Copy(out, commonVersions)
 	return out
 }()
 func SupportedVersions(id sbom.FormatID) []string {
-	versions := []string{
+	versionSet := commonVersions
-		"1.2",
+	if id == XMLFormatID {
-		"1.3",
+		versionSet = allVersions
 		"1.4",
 		"1.5",
 		"1.6",
 	}
-
+	versions := make([]string, 0, len(versionSet))
-	if id != JSONFormatID {
+	for _, v := range versionSet {
-		// JSON format not supported for version < 1.2
+		versions = append(versions, v.String())
 		versions = append([]string{"1.0", "1.1"}, versions...)
 	}
-
+	slices.SortFunc(versions, versionSort)
 	return versions
 }
 func SpecVersionFromString(v string) (cyclonedx.SpecVersion, error) {
-	switch v {
+	if specVersion, ok := allVersions[v]; ok {
-	case "1.0":
+		return specVersion, nil
 		return cyclonedx.SpecVersion1_0, nil
 	case "1.1":
 		return cyclonedx.SpecVersion1_1, nil
 	case "1.2":
 		return cyclonedx.SpecVersion1_2, nil
 	case "1.3":
 		return cyclonedx.SpecVersion1_3, nil
 	case "1.4":
 		return cyclonedx.SpecVersion1_4, nil
 	case "1.5":
 		return cyclonedx.SpecVersion1_5, nil
 	case "1.6":
 		return cyclonedx.SpecVersion1_6, nil
 	}
 	return -1, fmt.Errorf("unsupported CycloneDX version %q", v)
 }
 func VersionFromSpecVersion(spec cyclonedx.SpecVersion) string {
-	switch spec {
+	for version, specVersion := range allVersions {
-	case cyclonedx.SpecVersion1_0:
+		if specVersion == spec {
-		return "1.0"
+			return version
-	case cyclonedx.SpecVersion1_1:
+		}
 		return "1.1"
 	case cyclonedx.SpecVersion1_2:
 		return "1.2"
 	case cyclonedx.SpecVersion1_3:
 		return "1.3"
 	case cyclonedx.SpecVersion1_4:
 		return "1.4"
 	case cyclonedx.SpecVersion1_5:
 		return "1.5"
 	case cyclonedx.SpecVersion1_6:
 		return "1.6"
 	}
 	return ""
 }
 func versionSort(a string, b string) int {
 	partsA := strings.Split(a, ".")
 	partsB := strings.Split(b, ".")
 	lenA := len(partsA)
 	lenB := len(partsB)
 	for i := range max(lenA, lenB) {
 		if i >= lenA {
 			return -1 // 1 < 1.x
 		}
 		if i >= lenB {
 			return 1 // 1.x > 1
 		}
 		partA, errA := strconv.ParseInt(partsA[i], 10, 64)
 		partB, errB := strconv.ParseInt(partsB[i], 10, 64)
 		if errA != nil || errB != nil {
 			// string compare if we can't parse one of the sides
 			strcmp := strings.Compare(partsA[i], partsB[i])
 			if strcmp == 0 {
 				continue
 			}
 			return strcmp // not equal
 		}
 		if partA == partB {
 			continue
 		}
 		return int(partA - partB)
 	}
 	return 0
 }
--- a/syft/format/internal/cyclonedxutil/versions_test.go
+++ b/syft/format/internal/cyclonedxutil/versions_test.go
@ -0,0 +1,107 @@
 package cyclonedxutil
 import (
 	"go/constant"
 	"go/types"
 	"regexp"
 	"slices"
 	"testing"
 	"github.com/CycloneDX/cyclonedx-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/tools/go/packages"
 )
 // Test_allSpecVersionsMapped loads the cyclonedx-go package's type information and enumerates every
 // SpecVersion* constant it declares, asserting each one is present in our version maps. Upgrading
 // cyclonedx-go to a release that adds a new spec version will fail this test until versions.go is updated.
 func Test_allSpecVersionsMapped(t *testing.T) {
 	const pkgPath = "github.com/CycloneDX/cyclonedx-go"
 	pkgs, err := packages.Load(&packages.Config{Mode: packages.NeedName | packages.NeedTypes}, pkgPath)
 	require.NoError(t, err)
 	require.Len(t, pkgs, 1)
 	pkg := pkgs[0]
 	require.Empty(t, pkg.Errors, "errors loading %s", pkgPath)
 	require.NotNil(t, pkg.Types, "no type info loaded for %s", pkgPath)
 	// allVersions is the superset (json/common versions merged in), so it covers every spec version we map.
 	mapped := make(map[cyclonedx.SpecVersion]struct{})
 	for syftVersion, sv := range allVersions {
 		// make sure the key matches the version it's mapped to
 		require.Contains(t, sv.String(), syftVersion, "version %q is not correctly mapped to cyclonedx SpecVersion %q", syftVersion, sv.String())
 		mapped[sv] = struct{}{}
 	}
 	specVersionConst := regexp.MustCompile(`^SpecVersion\d`)
 	scope := pkg.Types.Scope()
 	found := 0
 	for _, name := range scope.Names() {
 		if !specVersionConst.MatchString(name) {
 			continue
 		}
 		c, ok := scope.Lookup(name).(*types.Const)
 		if !ok {
 			continue
 		}
 		found++
 		val, ok := constant.Int64Val(c.Val())
 		require.Truef(t, ok, "could not read int value of cyclonedx.%s", name)
 		_, ok = mapped[cyclonedx.SpecVersion(val)]
 		assert.Truef(t, ok, "cyclonedx.%s is not mapped in versions.go; add it when upgrading cyclonedx-go", name)
 	}
 	require.NotZero(t, found, "no SpecVersion* constants found in %s", pkgPath)
 }
 func Test_versionSort(t *testing.T) {
 	// versionSort returns <0 when a<b, 0 when a==b, >0 when a>b; assert on sign rather than exact value.
 	sign := func(n int) int {
 		switch {
 		case n < 0:
 			return -1
 		case n > 0:
 			return 1
 		default:
 			return 0
 		}
 	}
 	tests := []struct {
 		name string
 		a    string
 		b    string
 		want int
 	}{
 		{name: "equal single part", a: "1", b: "1", want: 0},
 		{name: "equal two parts", a: "1.4", b: "1.4", want: 0},
 		{name: "minor less than", a: "1.3", b: "1.4", want: -1},
 		{name: "minor greater than", a: "1.6", b: "1.5", want: 1},
 		{name: "major less than", a: "1.7", b: "2.0", want: -1},
 		{name: "major greater than", a: "2.0", b: "1.7", want: 1},
 		{name: "fewer parts sorts first", a: "1", b: "1.0", want: -1},
 		{name: "more parts sorts last", a: "1.0", b: "1", want: 1},
 		{name: "numeric not lexical (10 > 9)", a: "1.10", b: "1.9", want: 1},
 		{name: "multi-digit major", a: "10.0", b: "9.0", want: 1},
 		{name: "three parts equal", a: "1.4.0", b: "1.4.0", want: 0},
 		{name: "three parts patch differs", a: "1.4.1", b: "1.4.0", want: 1},
 		{name: "non-numeric equal falls through", a: "1.x", b: "1.x", want: 0},
 		{name: "non-numeric string compare", a: "1.a", b: "1.b", want: -1},
 		{name: "non-numeric side string compare", a: "1.2", b: "1.x", want: -1},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.want, sign(versionSort(tt.a, tt.b)))
 			// comparator must be antisymmetric: swapping operands negates the sign.
 			assert.Equal(t, -tt.want, sign(versionSort(tt.b, tt.a)))
 		})
 	}
 }
 func Test_versionSort_sortsSlice(t *testing.T) {
 	versions := []string{"1.10", "1.2", "1", "2.0", "1.9", "1.0"}
 	slices.SortFunc(versions, versionSort)
 	assert.Equal(t, []string{"1", "1.0", "1.2", "1.9", "1.10", "2.0"}, versions)
 }
--- a/syft/format/internal/spdxutil/helpers/originator_supplier_test.go
+++ b/syft/format/internal/spdxutil/helpers/originator_supplier_test.go
@ -13,6 +13,7 @@ func Test_OriginatorSupplier(t *testing.T) {
 	completionTester := packagemetadata.NewCompletionTester(t,
 		pkg.BinarySignature{},
 		pkg.BitnamiSBOMEntry{},
 		pkg.BunLockEntry{},
 		pkg.CocoaPodfileLockEntry{},
 		pkg.ConanV1LockEntry{},
 		pkg.ConanV2LockEntry{}, // the field Username might be the username of either the package originator or the supplier (unclear currently)
--- a/syft/pkg/cataloger/binary/capabilities.yaml
+++ b/syft/pkg/cataloger/binary/capabilities.yaml
@ -66,6 +66,16 @@ catalogers:
            cpes:
              - cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/julia'
        packages:
          - class: julia-binary
            name: julia
            purl: pkg:generic/julia
            cpes:
              - cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/helm'
@ -242,6 +252,77 @@ catalogers:
              - cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:*
              - cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/mysqld'
        packages:
          - class: mysqld-mysql-cluster-legacy-binary
            name: mysql-server
            purl: pkg:generic/mysql-server
            cpes:
              - cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
              - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/mysqld'
        packages:
          - class: mysqld-binary
            name: ""
            purl: pkg:/
            cpes: []
            type: BinaryPkg
          - class: mysqld-mysql-cluster-legacy-binary
            name: mysql-cluster
            purl: pkg:generic/mysql-cluster
            cpes:
              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
            type: BinaryPkg
          - class: mysqld-mysql-cluster-binary
            name: mysql-cluster
            purl: pkg:generic/mysql-cluster
            cpes:
              - cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
              - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
            type: BinaryPkg
          - class: mysqld-mysql-server-binary
            name: mysql-server
            purl: pkg:generic/mysql-server
            cpes:
              - cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
              - cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/ndbd'
        packages:
          - class: ndbd-binary
            name: mysql-cluster
            purl: pkg:generic/mysql-cluster
            cpes:
              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/ndbmtd'
        packages:
          - class: ndbmtd-binary
            name: mysql-cluster
            purl: pkg:generic/mysql-cluster
            cpes:
              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/ndb_mgmd'
        packages:
          - class: ndb_mgmd-binary
            name: mysql-cluster
            purl: pkg:generic/mysql-cluster
            cpes:
              - cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/xtrabackup'
@ -427,6 +508,17 @@ catalogers:
        criteria:
          - '**/openssl'
        packages:
          - class: openssl-binary
            name: ""
            purl: pkg:/
            cpes: []
            type: BinaryPkg
          - class: openssl-binary-aws-lc
            name: aws-lc
            purl: pkg:generic/aws-lc
            cpes:
              - cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*
            type: BinaryPkg
          - class: openssl-binary
            name: openssl
            purl: pkg:generic/openssl
@ -684,6 +776,16 @@ catalogers:
            cpes:
              - cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/nginx-ingress-controller'
        packages:
          - class: ingress-nginx-binary
            name: nginx-ingress-controller
            purl: pkg:generic/nginx-ingress-controller
            cpes:
              - cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*
            type: BinaryPkg
      - method: glob
        criteria:
          - '**/java'
@ -855,6 +957,7 @@ catalogers:
      function: NewPEPackageCataloger
    selectors: # AUTO-GENERATED
      - binary
      - bpl
      - declared
      - directory
      - dll
@ -871,6 +974,7 @@ catalogers:
          criteria: # AUTO-GENERATED
            - '**/*.dll'
            - '**/*.exe'
            - '**/*.bpl'
        metadata_types: # AUTO-GENERATED
          - pkg.PEBinary
        package_types: # AUTO-GENERATED
--- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go
+++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go
@ -38,6 +38,7 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 		// full binaries are tested (no snippets), and if no binary is found the test will be skipped.
 		logicalFixture   string
 		expected         pkg.Package
 		expectedPackages []pkg.Package
 	}{
 		{
 			logicalFixture: "arangodb/3.11.8/linux-amd64",
@ -206,6 +207,96 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("mariadb-binary"),
 			},
 		},
 		{
 			// RHEL / MariaDB.org tarball builds do not embed the "-MariaDB" marker; the version is only
 			// present in the build path (e.g. mariadb-11.8.5-2-redhat-x86_64). The release suffix ("-2")
 			// must not leak into the version. Regression for anchore/grype#3452.
 			logicalFixture: "mariadb/11.8.5/linux-amd64",
 			expected: pkg.Package{
 				Name:      "mariadb",
 				Version:   "11.8.5",
 				Type:      "binary",
 				PURL:      "pkg:generic/mariadb@11.8.5",
 				Locations: locations("mariadb"),
 				Metadata:  metadata("mariadb-binary"),
 			},
 		},
 		{
 			logicalFixture: "mysqld/9.7.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "mysql-server",
 				Version:   "9.7.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/mysql-server@9.7.0",
 				Locations: locations("mysqld"),
 				Metadata:  metadata("mysqld-mysql-server-binary"),
 			},
 		},
 		{
 			logicalFixture: "mysql-cluster/9.7.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "mysql-cluster",
 				Version:   "9.7.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/mysql-cluster@9.7.0",
 				Locations: locations("mysqld"),
 				Metadata:  metadata("mysqld-mysql-cluster-binary"),
 			},
 		},
 		{
 			logicalFixture: "mysql-cluster/7.6.17/linux-amd64",
 			expectedPackages: []pkg.Package{
 				{
 					Name:      "mysql-server",
 					Version:   "5.7.33",
 					Type:      "binary",
 					PURL:      "pkg:generic/mysql-server@5.7.33",
 					Locations: locations("mysqld"),
 					Metadata:  metadata("mysqld-mysql-cluster-legacy-binary"),
 				},
 				{
 					Name:      "mysql-cluster",
 					Version:   "7.6.17",
 					Type:      "binary",
 					PURL:      "pkg:generic/mysql-cluster@7.6.17",
 					Locations: locations("mysqld"),
 					Metadata:  metadata("mysqld-mysql-cluster-legacy-binary"),
 				},
 			},
 		},
 		{
 			logicalFixture: "ndbd/9.7.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "mysql-cluster",
 				Version:   "9.7.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/mysql-cluster@9.7.0",
 				Locations: locations("ndbd"),
 				Metadata:  metadata("ndbd-binary"),
 			},
 		},
 		{
 			logicalFixture: "ndbmtd/9.7.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "mysql-cluster",
 				Version:   "9.7.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/mysql-cluster@9.7.0",
 				Locations: locations("ndbmtd"),
 				Metadata:  metadata("ndbmtd-binary"),
 			},
 		},
 		{
 			logicalFixture: "ndb_mgmd/9.7.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "mysql-cluster",
 				Version:   "9.7.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/mysql-cluster@9.7.0",
 				Locations: locations("ndb_mgmd"),
 				Metadata:  metadata("ndb_mgmd-binary"),
 			},
 		},
 		{
 			logicalFixture: "mongodb/8.0.17/linux-amd64",
 			expected: pkg.Package{
@ -432,6 +523,39 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("haproxy-binary"),
 			},
 		},
 		{
 			logicalFixture: "helm/4.1.4/linux-s390x",
 			expected: pkg.Package{
 				Name:      "helm",
 				Version:   "4.1.4",
 				Type:      "binary",
 				PURL:      "pkg:golang/helm.sh/helm@4.1.4",
 				Locations: locations("helm"),
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/3.15.2/linux-amd64",
 			expected: pkg.Package{
 				Name:      "helm",
 				Version:   "3.15.2",
 				Type:      "binary",
 				PURL:      "pkg:golang/helm.sh/helm@3.15.2",
 				Locations: locations("helm"),
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/3.12.0/linux-s390x",
 			expected: pkg.Package{
 				Name:      "helm",
 				Version:   "3.12.0",
 				Type:      "binary",
 				PURL:      "pkg:golang/helm.sh/helm@3.12.0",
 				Locations: locations("helm"),
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/3.11.1/linux-amd64",
 			expected: pkg.Package{
@ -443,6 +567,39 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/3.0.0-alpha.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "helm",
 				Version:   "3.0.0-alpha.1",
 				Type:      "binary",
 				PURL:      "pkg:golang/helm.sh/helm@3.0.0-alpha.1",
 				Locations: locations("helm"),
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/2.17.0-rc.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "helm",
 				Version:   "2.17.0-rc.1",
 				Type:      "binary",
 				PURL:      "pkg:golang/helm.sh/helm@2.17.0-rc.1",
 				Locations: locations("helm"),
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/2.0.0-beta.2/linux-amd64",
 			expected: pkg.Package{
 				Name:      "helm",
 				Version:   "2.0.0-beta.2",
 				Type:      "binary",
 				PURL:      "pkg:golang/helm.sh/helm@2.0.0-beta.2",
 				Locations: locations("helm"),
 				Metadata:  metadata("helm"),
 			},
 		},
 		{
 			logicalFixture: "helm/3.10.3/linux-amd64",
 			expected: pkg.Package{
@ -1331,6 +1488,50 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("dart-binary"),
 			},
 		},
 		{
 			logicalFixture: "deno/1.10.3/linux-amd64",
 			expected: pkg.Package{
 				Name:      "deno",
 				Version:   "1.10.3",
 				Type:      "binary",
 				PURL:      "pkg:generic/deno@1.10.3",
 				Locations: locations("deno"),
 				Metadata:  metadata("deno-binary"),
 			},
 		},
 		{
 			logicalFixture: "deno/1.16.4/linux-amd64",
 			expected: pkg.Package{
 				Name:      "deno",
 				Version:   "1.16.4",
 				Type:      "binary",
 				PURL:      "pkg:generic/deno@1.16.4",
 				Locations: locations("deno"),
 				Metadata:  metadata("deno-binary"),
 			},
 		},
 		{
 			logicalFixture: "deno/1.28.3/linux-amd64",
 			expected: pkg.Package{
 				Name:      "deno",
 				Version:   "1.28.3",
 				Type:      "binary",
 				PURL:      "pkg:generic/deno@1.28.3",
 				Locations: locations("deno"),
 				Metadata:  metadata("deno-binary"),
 			},
 		},
 		{
 			logicalFixture: "deno/1.29.4/linux-amd64",
 			expected: pkg.Package{
 				Name:      "deno",
 				Version:   "1.29.4",
 				Type:      "binary",
 				PURL:      "pkg:generic/deno@1.29.4",
 				Locations: locations("deno"),
 				Metadata:  metadata("deno-binary"),
 			},
 		},
 		{
 			logicalFixture: "deno/1.41.0/linux-amd64",
 			expected: pkg.Package{
@ -1485,6 +1686,17 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("openssl-binary"),
 			},
 		},
 		{
 			logicalFixture: "aws-lc/1.69.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "aws-lc",
 				Version:   "1.69.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/aws-lc@1.69.0",
 				Locations: locations("openssl"),
 				Metadata:  metadata("openssl-binary-aws-lc"),
 			},
 		},
 		{
 			logicalFixture: "openldap/2.6.10/linux-amd64",
 			expected: pkg.Package{
@ -1754,6 +1966,25 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				},
 			},
 		},
 		{
 			// release-candidate elixir image — pre-fix the matchers stripped the
 			// "-rc.1" suffix from the elixir-library result and missed the
 			// elixir-binary entirely (#4819).
 			logicalFixture: "elixir/1.12.0-rc.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "elixir",
 				Version:   "1.12.0-rc.1",
 				Type:      "binary",
 				PURL:      "pkg:generic/elixir@1.12.0-rc.1",
 				Locations: locations("elixir", "lib/elixir/ebin/elixir.app"),
 				Metadata: pkg.BinarySignature{
 					Matches: []pkg.ClassifierMatch{
 						match("elixir-binary", "elixir"),
 						match("elixir-library", "lib/elixir/ebin/elixir.app"),
 					},
 				},
 			},
 		},
 		{
 			logicalFixture: "istio_pilot-discovery/1.29.0-alpha.0/linux-amd64",
 			expected: pkg.Package{
@ -2227,6 +2458,205 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("envoy-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.15.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.15.1",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.15.1",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.11.8/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.11.8",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.11.8",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.9.6/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.9.6",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.9.6",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.7.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.7.1",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.7.1",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.12.0-beta.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.12.0-beta.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.12.0-beta.0",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.2.0-beta.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.2.0-beta.1",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.2.0-beta.1",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/1.0.0-alpha.2/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "1.0.0-alpha.2",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@1.0.0-alpha.2",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/0.34.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "0.34.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@0.34.0",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "nginx-ingress-controller/0.33.0/linux-amd64",
 			expected: pkg.Package{
 				Name:      "nginx-ingress-controller",
 				Version:   "0.33.0",
 				Type:      "binary",
 				PURL:      "pkg:generic/nginx-ingress-controller@0.33.0",
 				Locations: locations("nginx-ingress-controller"),
 				Metadata:  metadata("ingress-nginx-binary"),
 			},
 		},
 		{
 			logicalFixture: "julia/1.13.0-alpha2/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.13.0-alpha2",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.13.0-alpha2",
 				Locations: locations("libjulia-internal.so.1.13.0"),
 				Metadata:  metadata("julia-binary"),
 			},
 		},
 		{
 			logicalFixture: "julia/1.12.6/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.12.6",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.12.6",
 				Locations: locations("libjulia-internal.so.1.12.6"),
 				Metadata:  metadata("julia-binary"),
 			},
 		},
 		{
 			logicalFixture: "julia/1.11.9/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.11.9",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.11.9",
 				Locations: locations("libjulia-internal.so.1.11.9"),
 				Metadata:  metadata("julia-binary"),
 			},
 		},
 		{
 			logicalFixture: "julia/1.10.11/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.10.11",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.10.11",
 				Locations: locations("libjulia-internal.so.1.10.11"),
 				Metadata:  metadata("julia-binary"),
 			},
 		},
 		{
 			logicalFixture: "julia/1.9.0-alpha1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.9.0-alpha1",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.9.0-alpha1",
 				Locations: locations("libjulia-internal.so.1.9"),
 				Metadata:  metadata("julia-binary"),
 			},
 		},
 		{
 			logicalFixture: "julia/1.8.5/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.8.5",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.8.5",
 				Locations: locations("libjulia-internal.so.1.8"),
 				Metadata:  metadata("julia-binary"),
 			},
 		},
 		{
 			// note: dynamic (non-snippet) test case
 			logicalFixture: "julia/1.5.4/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.5.4",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.5.4",
 				Locations: locations("julia", "libjulia.so.1.5"),
 				Metadata: pkg.BinarySignature{
 					Matches: []pkg.ClassifierMatch{
 						match("julia-binary", "julia"),
 						match("julia-binary", "libjulia.so.1.5"),
 					},
 				},
 			},
 		},
 		{
 			// note: dynamic (non-snippet) test case
 			logicalFixture: "julia/1.3.1/linux-amd64",
 			expected: pkg.Package{
 				Name:      "julia",
 				Version:   "1.3.1",
 				Type:      "binary",
 				PURL:      "pkg:generic/julia@1.3.1",
 				Locations: locations("julia", "libjulia.so.1.3"),
 				Metadata: pkg.BinarySignature{
 					Matches: []pkg.ClassifierMatch{
 						match("julia-binary", "julia"),
 						match("julia-binary", "libjulia.so.1.3"),
 					},
 				},
 			},
 		},
 	}
 	for _, test := range tests {
@ -2248,9 +2678,16 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 			packages, _, err := c.Catalog(context.Background(), resolver)
 			require.NoError(t, err)
-			require.Len(t, packages, 1, "mismatched package count")
+			expected := test.expectedPackages
 			if len(expected) == 0 {
 				expected = []pkg.Package{test.expected}
 			}
-			assertPackagesAreEqual(t, test.expected, packages[0])
+			require.Len(t, packages, len(expected), "mismatched package count")
 			for i := range expected {
 				assertPackagesAreEqual(t, expected[i], packages[i])
 			}
 		})
 	}
 }
--- a/syft/pkg/cataloger/binary/classifiers.go
+++ b/syft/pkg/cataloger/binary/classifiers.go
@ -88,8 +88,43 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "julia-binary",
 			FileGlob: "**/libjulia-internal.so",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
+			EvidenceMatcher: binutils.MatchAny(
-				`(?m)__init__\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00verify`),
+				// <20>1.13.0-beta3[NUL]branch
 				// [NUL]GIT_VERSION_INFO[NUL]jl_image_unpack[NUL]1.13.0-alpha2[NUL]branch
 				// [NUL]GIT_VERSION_INFO[NUL]__init__[NUL]1.12.6[NUL]branch[NUL]commit
 				// [NUL]GIT_VERSION_INFO[NUL]__init__[NUL]verify_methods[NUL]1.11.9[NUL]branch[NUL]commit
 				// [NUL][NUL]__init__[NUL]1.10.11[NUL]verify_methods[NUL]
 				m.FileContentsVersionMatcher(`\x00__init__\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00(branch|verify_methods)`),
 				m.FileContentsVersionMatcher(`(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00branch\x00`),
 				// [NUL]verify_methods[NUL]Task cannot be serialized[NUL]1.9.0-alpha1[NUL]BigInt[NUL]
 				m.FileContentsVersionMatcher(`\x00verify_methods\x00.{0,30}(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00BigInt`),
 				// unknown option `%s`[NUL]1.8.5[NUL]julia version %s
 				m.FileContentsVersionMatcher(`\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00julia version`),
 			),
 			Package: "julia",
 			PURL:    mustPURL("pkg:generic/julia@version"),
 			CPEs:    singleCPE("cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 		{
 			Class:    "julia-binary",
 			FileGlob: "**/julia",
 			EvidenceMatcher: binutils.SharedLibraryLookup(
 				// libjulia.so.1
 				// libjulia.so.0.6
 				// libjulia.so
 				`^libjulia\.so(\.[0-9])?(\.[0-9])?$`,
 				binutils.MatchAny(
 					// unknown option `%s`[NUL]1.5.4[NUL]julia version %s
 					m.FileContentsVersionMatcher(`\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00julia version`),
 					// [NUL]#kw#[NUL]1.3.1[NUL]BigInt
 					// [NUL]#kw#[NUL]0.7.0-beta2[NUL]_require_dependencies
 					m.FileContentsVersionMatcher(`\x00#kw#\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00(BigInt|_require_dependencies)`),
 					// [NUL]ObjectIdDict[NUL]0.6.4[NUL]jl_sysimg_cpu_target
 					m.FileContentsVersionMatcher(`\x00ObjectIdDict\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00jl_sysimg_cpu_target`),
 					// [NUL]require[NUL]0.4.6[NUL]core2
 					m.FileContentsVersionMatcher(`\x00require\x00(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00core2`),
 				),
 			),
 			Package: "julia",
 			PURL:    mustPURL("pkg:generic/julia@version"),
 			CPEs:    singleCPE("cpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@ -97,8 +132,17 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "helm",
 			FileGlob: "**/helm",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
+			EvidenceMatcher: binutils.MatchAny(
-				`(?m)\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00`),
+				// [NUL]v1.21.2[NUL].......[NUL][NUL]v4.1.4[NUL][NUL][NUL]
 				// [NUL]v2.0.0-beta.2[NUL][NUL][NUL]
 				m.FileContentsVersionMatcher(`\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00{2,}`),
 				// [NUK]'[DLE]v3.12.0[NUL][NUL]...go1.20.3[NUL][NUL]
 				m.FileContentsVersionMatcher(`v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00+.{1,500}go[0-9]+\.[0-9]+\.[0-9]+\x00+`),
 				// [NUL]v3.11.1[NUL]<5D>[NUL]
 				m.FileContentsVersionMatcher(`\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00`),
 				// [NUL]@<40>@v3.15.2[NUL][NUL]
 				m.FileContentsVersionMatcher(`@v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]|-beta\.[0-9]|-rc\.[0-9])?)\x00`),
 			),
 			Package: "helm",
 			PURL:    mustPURL("pkg:golang/helm.sh/helm@version"),
 			CPEs:    singleCPE("cpe:2.3:a:helm:helm:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@ -106,7 +150,12 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "redis-binary",
 			FileGlob: "**/redis-server",
-			EvidenceMatcher: binutils.MatchAny(
+			EvidenceMatcher: binutils.MatchAll(
 				// Negative Matchers to exclude valkey-server
 				binutils.MatchNone(
 					binutils.MatchPath("**/valkey-server"),
 				),
 				binutils.MatchAny(
 					// matches most recent versions of redis (~v7), e.g. "7.0.14buildkitsandbox-1702957741000000000"
 					m.FileContentsVersionMatcher(`[^\d](?P<version>\d+.\d+\.\d+)buildkitsandbox-\d+`),
 					// matches against older versions of redis (~v3 - v6), e.g. "4.0.11841ce7054bd9-1542359302000000000"
@ -114,6 +163,7 @@ func DefaultClassifiers() []binutils.Classifier {
 					// matches against older versions of redis (~v2), e.g. "Server started, Redis version 2.8.23"
 					m.FileContentsVersionMatcher(`Redis version (?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
 				),
 			),
 			Package: "redis",
 			PURL:    mustPURL("pkg:generic/redis@version"),
 			CPEs: []cpe.CPE{
@ -288,6 +338,96 @@ func DefaultClassifiers() []binutils.Classifier {
 				cpe.Must("cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			// Legacy MySQL Cluster contains both MySQL Server and MySQL Cluster versions (Example: 5.7.33-ndb-7.5.21)
 			// This classifier identifies the MySQL Server version of the mysqld binary (5.7.33 in the example above).
 			Class:    "mysqld-mysql-cluster-legacy-binary",
 			FileGlob: "**/mysqld",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
 				`cluster-gpl\x00(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?)\-ndb\-[0-9]+(\.[0-9]+)?(\.[0-9]+)?`),
 			Package: "mysql-server",
 			PURL:    mustPURL("pkg:generic/mysql-server@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:    "mysqld-binary",
 			FileGlob: "**/mysqld",
 			EvidenceMatcher: binutils.BranchingEvidenceMatcher([]binutils.Classifier{
 				{
 					// Legacy MySQL Cluster contains both MySQL Server and MySQL Cluster versions (Example: 5.7.33-ndb-7.5.21)
 					// This classifier identifies the MySQL Cluster version of the mysqld binary (7.5.21 in the example above).
 					Class: "mysqld-mysql-cluster-legacy-binary",
 					EvidenceMatcher: m.FileContentsVersionMatcher(
 						`cluster-gpl\x00[0-9]+(\.[0-9]+)?(\.[0-9]+)?\-ndb\-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?)`),
 					Package: "mysql-cluster",
 					PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 					CPEs: []cpe.CPE{
 						cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 					},
 				},
 				{
 					// mysqld from MySQL Cluster after versioning was aligned with MySQL Server
 					Class: "mysqld-mysql-cluster-binary",
 					EvidenceMatcher: m.FileContentsVersionMatcher(
 						`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
 					Package: "mysql-cluster",
 					PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 					CPEs: []cpe.CPE{
 						cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 						cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 						cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 					},
 				},
 				{
 					// mysqld from MySQL Server
 					Class: "mysqld-mysql-server-binary",
 					EvidenceMatcher: m.FileContentsVersionMatcher(
 						`/mysql-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
 					Package: "mysql-server",
 					PURL:    mustPURL("pkg:generic/mysql-server@version"),
 					CPEs: []cpe.CPE{
 						cpe.Must("cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 						cpe.Must("cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 					},
 				},
 			}...),
 		},
 		{
 			Class:    "ndbd-binary",
 			FileGlob: "**/ndbd",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
 				`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:    "ndbmtd-binary",
 			FileGlob: "**/ndbmtd",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
 				`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:    "ndb_mgmd-binary",
 			FileGlob: "**/ndb_mgmd",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
 				`/mysql-cluster-gpl-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)/`),
 			Package: "mysql-cluster",
 			PURL:    mustPURL("pkg:generic/mysql-cluster@version"),
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},
 		},
 		{
 			Class:    "xtrabackup-binary",
 			FileGlob: "**/xtrabackup",
@ -300,9 +440,17 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "mariadb-binary",
 			FileGlob: "**/{mariadb,mysql}",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
+			EvidenceMatcher: binutils.MatchAny(
 				// 10.6.15-MariaDB
-				`(?m)(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`),
+				m.FileContentsVersionMatcher(`(?m)(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-MariaDB`),
 				// MariaDB.org / RHEL tarball builds embed the release directory name, which does not contain the
 				// "-MariaDB" marker. The version is in the build path instead, e.g.:
 				//   mariadb-11.8.5-2-redhat-x86_64/rhel-8/bin/mariadb
 				//   mariadb-11.8.5-linux-systemd-x86_64
 				// Without this the older matcher misses the version and a later release suffix (e.g. "2") can be
 				// picked up instead, producing false-positive matches against ancient CVEs (see anchore/grype#3452).
 				m.FileContentsVersionMatcher(`(?m)(?:^|/)mariadb-(?P<version>[0-9]+(\.[0-9]+)?(\.[0-9]+)?(alpha[0-9]|beta[0-9]|rc[0-9])?)-`),
 			),
 			Package: "mariadb",
 			PURL:    mustPURL("pkg:generic/mariadb@version"),
 			CPEs:    singleCPE("cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@ -427,10 +575,26 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "deno-binary",
 			FileGlob: "**/deno",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
+			EvidenceMatcher: binutils.MatchAny(
 				m.FileContentsVersionMatcher(
 					// Deno/2.6.3
 					// Deno/1.41.0
-				`Deno/(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+					`Deno/(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
 				),
 				m.FileContentsVersionMatcher(
 					// deno::tools::standalonedeno-65db94feba9d4d51a09b74629f566dbc90484fbarelease/v1.29.4windows
 					// cli/tools/standalone.rsdeno-74064c9d8c222b33b2a552ea0af1054f57002a96release/v1.28.3windows
 					`deno-[0-9a-z]{40}release/v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
 				),
 				m.FileContentsVersionMatcher(
 					// cli/tools/standalone.rsdeno-ab286750a8c87215a9651efb11fcc620f29140051.16.4release/vdlwindows
 					`deno-[0-9a-z]{40}(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
 				),
 				m.FileContentsVersionMatcher(
 					// 1.10.31567c1013cc8ff12cf039137792da66a1d0015b5DENO_UNSTABLE_COVERAGE_DIRNo current directorycli/main
 					`(?P<version>[0-9]+\.[0-9]+\.[0-9]+)[0-9a-z]{40}DENO`,
 				),
 			),
 			Package: "deno",
 			PURL:    mustPURL("pkg:generic/deno@version"),
 			CPEs:    singleCPE("cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@ -558,6 +722,19 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "openssl-binary",
 			FileGlob: "**/openssl",
 			EvidenceMatcher: binutils.BranchingEvidenceMatcher([]binutils.Classifier{
 				{
 					Class: "openssl-binary-aws-lc",
 					EvidenceMatcher: m.FileContentsVersionMatcher(
 						// [NUL]OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)[NUL]
 						`AWS-LC (?P<version>[0-9]+\.[0-9]+\.[0-9]+)\)\x00`,
 					),
 					Package: "aws-lc",
 					PURL:    mustPURL("pkg:generic/aws-lc@version"),
 					CPEs:    singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				},
 				{
 					Class: "openssl-binary",
 					EvidenceMatcher: m.FileContentsVersionMatcher(
 						// [NUL]OpenSSL 3.1.4'
 						// [NUL]OpenSSL 1.1.1w'
@ -567,6 +744,8 @@ func DefaultClassifiers() []binutils.Classifier {
 					PURL:    mustPURL("pkg:generic/openssl@version"),
 					CPEs:    singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 				},
 			}...),
 		},
 		{
 			Class:    "openldap-search-binary",
 			FileGlob: "**/ldapsearch",
@ -762,7 +941,9 @@ func DefaultClassifiers() []binutils.Classifier {
 			Class:    "elixir-binary",
 			FileGlob: "**/elixir",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)ELIXIR_VERSION=(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+				// Capture optional pre-release suffix (-rc.1, -alpha.0, -beta.2,
 				// etc.) so release-candidate elixir images (#4819) match.
 				`(?m)ELIXIR_VERSION=(?P<version>[0-9]+\.[0-9]+\.[0-9]+(?:-[a-z0-9]+(?:\.[0-9]+)?)?)`),
 			Package: "elixir",
 			PURL:    mustPURL("pkg:generic/elixir@version"),
 			CPEs: []cpe.CPE{
@ -773,7 +954,8 @@ func DefaultClassifiers() []binutils.Classifier {
 			Class:    "elixir-library",
 			FileGlob: "**/elixir/ebin/elixir.app",
 			EvidenceMatcher: m.FileContentsVersionMatcher(
-				`(?m)\{vsn,"(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-[a-z0-9]+)?)"\}`),
+				// Same pre-release extension as elixir-binary above.
 				`(?m)\{vsn,"(?P<version>[0-9]+\.[0-9]+\.[0-9]+(?:-[a-z0-9]+(?:\.[0-9]+)?)?)"\}`),
 			Package: "elixir",
 			PURL:    mustPURL("pkg:generic/elixir@version"),
 			CPEs:    singleCPE("cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
@ -905,6 +1087,29 @@ func DefaultClassifiers() []binutils.Classifier {
 			PURL:    mustPURL("pkg:generic/mongodb@version"),
 			CPEs:    singleCPE("cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 		{
 			Class:    "ingress-nginx-binary",
 			FileGlob: "**/nginx-ingress-controller",
 			EvidenceMatcher: binutils.MatchAny(
 				// [NUL][NUL]v1.15.1[NUL][NUL]@e[ETX][NUL][NUL][NUL][NUL]go1.26.1[NUL][NUL][NUL]
 				// <20>v1.15.1[NUL][NUL]<5D>z[ETX][NUL][NUL][NUL][NUL]go1.24.4[NUL][NUL][NUL]
 				m.FileContentsVersionMatcher(`v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00+.{0,50}go[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?\.[0-9]+\x00+`),
 				// <20>Lv1.9.6[NUL][NUL]$a<>c[SOH][NUL][NUL][NUL]
 				// [NUL][NUL]v0.34.0[NUL]......<2E>$a<>...[NUL]
 				m.FileContentsVersionMatcher(`v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?)\x00+.{0,800}\$a.{0,10}\x00+`),
 				// [NUL][NUL]v1.7.1[NUL][NUL][NUL]...S=v<y5...
 				// [NUL]0.33.0[NUL][NUL]...[NUL][NUL]...S=v<y5
 				m.FileContentsVersionMatcher(`\x00+v?(?P<version>[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?)\x00+.{0,100}S=v<y5`),
 				// [NUL][NUL]go1.22.8[NUL][NUL][NUL][NUL][NUL][NUL][NUL][NUL][NUL]v1.12.0-beta.0[NUL][NUL]
 				m.FileContentsVersionMatcher(`\x00+go[0-9]+\.[0-9]+\.[0-9]+\x00+v(?P<version>[0-9]+\.[0-9]+\.[0-9]+(\-(alpha|beta)\.[0-9])?)\x00+`),
 				// [NUL][NUL]v1.2.0-beta.1[NUL][NUL]
 				// [NUL][NUL]v1.0.0-alpha.2[NUL][NUL]
 				m.FileContentsVersionMatcher(`\x00+v(?P<version>[0-9]+\.[0-9]+\.[0-9]+\-(alpha|beta)\.[0-9])\x00+`),
 			),
 			Package: "nginx-ingress-controller",
 			PURL:    mustPURL("pkg:generic/nginx-ingress-controller@version"),
 			CPEs:    singleCPE("cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 		},
 	}
 	return append(classifiers, defaultJavaClassifiers()...)
--- a/syft/pkg/cataloger/binary/internal/manager/internal/download_from_image.go
+++ b/syft/pkg/cataloger/binary/internal/manager/internal/download_from_image.go
@ -275,10 +275,16 @@ func copyBinaryFromContainer(containerName, containerPath, destinationPath, dige
 		return err
 	}
-	// ensure permissions are 600 for destination
+	// ensure permissions are 600 for destination (if it is not a symlink)
 	info, err := os.Lstat(destinationPath)
 	if err != nil {
 		return fmt.Errorf("unable to stat file %q: %w", destinationPath, err)
 	}
 	if info.Mode()&os.ModeSymlink == 0 {
 		if err := os.Chmod(destinationPath, 0600); err != nil {
 			return fmt.Errorf("unable to set permissions on file %q: %w", destinationPath, err)
 		}
 	}
 	// capture digest file
 	digestPath := destinationPath + digestFileSuffix
--- a/syft/pkg/cataloger/binary/pe_package_cataloger.go
+++ b/syft/pkg/cataloger/binary/pe_package_cataloger.go
@ -12,10 +12,11 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/internal/pe"
 )
-// NewPEPackageCataloger returns a cataloger that interprets packages from DLL and EXE files.
+// NewPEPackageCataloger returns a cataloger that interprets packages from DLL, EXE, and BPL files.
 // BPL (Borland Package Library) files are PE-format binaries used by Delphi and C++Builder.
 func NewPEPackageCataloger() pkg.Cataloger {
 	return generic.NewCataloger("pe-binary-package-cataloger").
-		WithParserByGlobs(parsePE, "**/*.dll", "**/*.exe")
+		WithParserByGlobs(parsePE, "**/*.dll", "**/*.exe", "**/*.bpl")
 }
 func parsePE(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
--- a/syft/pkg/cataloger/binary/pe_package_cataloger_test.go
+++ b/syft/pkg/cataloger/binary/pe_package_cataloger_test.go
@ -62,3 +62,30 @@ func Test_PEPackageCataloger(t *testing.T) {
 	}
 }
 func Test_PEPackageCataloger_Globs(t *testing.T) {
 	tests := []struct {
 		name     string
 		fixture  string
 		expected []string
 	}{
 		{
 			name:    "obtain PE binary files (dll, exe, bpl)",
 			fixture: "testdata/glob-paths",
 			expected: []string{
 				"src/library.dll",
 				"src/program.exe",
 				"src/archive.bpl",
 			},
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			pkgtest.NewCatalogTester().
 				FromDirectory(t, test.fixture).
 				ExpectsResolverContentQueries(test.expected).
 				TestCataloger(t, NewPEPackageCataloger())
 		})
 	}
 }
--- a/syft/pkg/cataloger/binary/testdata/.gitignore
+++ b/syft/pkg/cataloger/binary/testdata/.gitignore
@ -9,3 +9,4 @@ classifiers/bin
 !VERSION*
 !classifiers/snippets/**/bin/
 !*.exe
 !*.dll
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/aws-lc/1.69.0/linux-amd64/openssl
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/aws-lc/1.69.0/linux-amd64/openssl
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.10.3/linux-amd64/deno
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.10.3/linux-amd64/deno
@ -0,0 +1,9 @@
 name: deno
 offset: 31454975
 length: 120
 snippetSha256: 30ab01cb89ba17c770cca7d60e12f2c2119fd8db2b389636053bad1146ac83df
 fileSha256: 68ec2c702e9c21e47d5557c603080932ffa24627b463b4a5a4e2ed4ff00f7d5d
 ### byte snippet to follow ###
 s already installed
 1.10.31567c1013cc8ff12cf039137792da66a1d0015b5DENO_UNSTABLE_COVERAGE_DIRNo current directorycli/main
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.16.4/linux-amd64/deno
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.16.4/linux-amd64/deno
@ -0,0 +1,9 @@
 name: deno
 offset: 4219127
 length: 120
 snippetSha256: 97e369d4eed74c5b1ff7d578c9de100c71136dfcc54f19455b2938671d1a9640
 fileSha256: f3af5cf3838c0cd01de1acaaa716de804ad08c716927af1848aa9664b96a737c
 ### byte snippet to follow ###
 g ctrl+d or close()
 Error: cli/tools/standalone.rsdeno-ab286750a8c87215a9651efb11fcc620f29140051.16.4release/vdlwindowsh
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.28.3/linux-amd64/deno
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.28.3/linux-amd64/deno
@ -0,0 +1,9 @@
 name: deno
 offset: 5079501
 length: 110
 snippetSha256: aa6181b1204d821493756007090ad81677a26f20de0efe9c53bdf401b54849fd
 fileSha256: 3373cbed016860095b01f693a58181c4cf1ac9d6ab7bd5dbca5f684788402919
 ### byte snippet to follow ###
 n to exit
 cli/tools/standalone.rsdeno-74064c9d8c222b33b2a552ea0af1054f57002a96release/v1.28.3windowshttps://dl
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.29.4/linux-amd64/deno
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/deno/1.29.4/linux-amd64/deno
@ -0,0 +1,9 @@
 name: deno
 offset: 5116362
 length: 220
 snippetSha256: 786a6c5d8be76e3c6e628cd2400c6ed5a7a7cfc75b135e8e7f1375f55dc28787
 fileSha256: d9c8a385c3704e220b1722c642f22e32f8f267013742f9b44d68c67bb5f9232d
 ### byte snippet to follow ###
 ument. For example:
    deno run --allow-read=. main.js./$deno$eval.console.log(cli/tools/standalone.rsCompiledeno::tools::standalonedeno-65db94feba9d4d51a09b74629f566dbc90484fbarelease/v1.29.4windowshttps://dl.deno.land
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/elixir/1.12.0-rc.1/linux-amd64/elixir
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/elixir/1.12.0-rc.1/linux-amd64/elixir
@ -0,0 +1,20 @@
 #!/bin/sh
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-FileCopyrightText: 2021 The Elixir Team
 # SPDX-FileCopyrightText: 2012 Plataformatec
 set -e
 ELIXIR_VERSION=1.12.0-rc.1
 if [ $# -eq 0 ] || { [ $# -eq 1 ] && { [ "$1" = "--help" ] || [ "$1" = "-h" ]; }; }; then
  cat <<USAGE >&2
 Usage: $(basename "$0") [options] [.exs file] [data]
 ## General options
  -e "COMMAND"                 Evaluates the given command (*)
  -h, --help                   Prints this message (standalone)
  -r "FILE"                    Requires the given files/patterns (*)
  -S SCRIPT                    Finds and executes the given script in \$PATH
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/elixir/1.12.0-rc.1/linux-amd64/lib/elixir/ebin/elixir.app
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/elixir/1.12.0-rc.1/linux-amd64/lib/elixir/ebin/elixir.app
@ -0,0 +1,19 @@
 {application,elixir,
    [{description,"elixir"},
     {vsn,"1.12.0-rc.1"},
     {modules,
         ['Elixir.Access','Elixir.Agent.Server','Elixir.Agent',
          'Elixir.Application','Elixir.ArgumentError',
          elixir_overridable,elixir_parser,elixir_quote,elixir_rewrite,
          elixir_sup,elixir_tokenizer,elixir_utils,iex]},
     {registered,[elixir_sup,elixir_config,elixir_code_server]},
     {applications,[kernel,stdlib,compiler]},
     {mod,{elixir,[]}},
     {env,
         [{ansi_syntax_colors,
              [{atom,cyan},
               {binary,default_color},
               {operator,default_color}]},
          {check_endianness,true},
          {dbg_callback,{'Elixir.Macro',dbg,[]}},
          {time_zone_database,'Elixir.Calendar.UTCOnlyTimeZoneDatabase'}]}]}.
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/2.0.0-beta.2/linux-amd64/helm
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/2.0.0-beta.2/linux-amd64/helm
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/2.17.0-rc.1/linux-amd64/helm
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/2.17.0-rc.1/linux-amd64/helm
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/3.0.0-alpha.1/linux-amd64/helm
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/3.0.0-alpha.1/linux-amd64/helm
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/3.12.0/linux-unknown-454d5f53333930/helm
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/3.12.0/linux-unknown-454d5f53333930/helm
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/3.15.2/linux-amd64/helm
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/3.15.2/linux-amd64/helm
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/4.1.4/linux-unknown-454d5f53333930/helm
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/helm/4.1.4/linux-unknown-454d5f53333930/helm
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.10.11/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.10.11/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.10.11
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.10.11/linux-amd64/libjulia-internal.so.1.10.11
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.10.11/linux-amd64/libjulia-internal.so.1.10.11
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.11.9/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.11.9/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.11.9
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.11.9/linux-amd64/libjulia-internal.so.1.11.9
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.11.9/linux-amd64/libjulia-internal.so.1.11.9
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.12.6/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.12.6/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.12.6
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.12.6/linux-amd64/libjulia-internal.so.1.12.6
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.12.6/linux-amd64/libjulia-internal.so.1.12.6
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-alpha2/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-alpha2/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.13.0
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-alpha2/linux-amd64/libjulia-internal.so.1.13.0
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-alpha2/linux-amd64/libjulia-internal.so.1.13.0
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-beta3/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-beta3/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.13.0
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-beta3/linux-amd64/libjulia-internal.so.1.13.0
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.13.0-beta3/linux-amd64/libjulia-internal.so.1.13.0
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.8.5/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.8.5/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.8
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.8.5/linux-amd64/libjulia-internal.so.1.8
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.8.5/linux-amd64/libjulia-internal.so.1.8
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.9.0-alpha1/linux-amd64/libjulia-internal.so
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.9.0-alpha1/linux-amd64/libjulia-internal.so
@ -0,0 +1 @@
 libjulia-internal.so.1.9
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.9.0-alpha1/linux-amd64/libjulia-internal.so.1.9
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/julia/1.9.0-alpha1/linux-amd64/libjulia-internal.so.1.9
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mariadb/11.8.5/linux-amd64/mariadb
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mysql-cluster/7.6.17/linux-amd64/mysqld
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mysql-cluster/7.6.17/linux-amd64/mysqld
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mysql-cluster/9.7.0/linux-amd64/mysqld
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mysql-cluster/9.7.0/linux-amd64/mysqld
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mysqld/9.7.0/linux-amd64/mysqld
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/mysqld/9.7.0/linux-amd64/mysqld
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/ndb_mgmd/9.7.0/linux-amd64/ndb_mgmd
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/ndb_mgmd/9.7.0/linux-amd64/ndb_mgmd
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/ndbd/9.7.0/linux-amd64/ndbd
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/ndbd/9.7.0/linux-amd64/ndbd
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/ndbmtd/9.7.0/linux-amd64/ndbmtd
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/ndbmtd/9.7.0/linux-amd64/ndbmtd
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/0.33.0/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/0.33.0/linux-amd64/nginx-ingress-controller
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/0.34.0/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/0.34.0/linux-amd64/nginx-ingress-controller
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.0.0-alpha.2/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.0.0-alpha.2/linux-amd64/nginx-ingress-controller
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.11.8/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.11.8/linux-amd64/nginx-ingress-controller
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.12.0-beta.0/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.12.0-beta.0/linux-amd64/nginx-ingress-controller
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.15.1/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.15.1/linux-amd64/nginx-ingress-controller
--- a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.2.0-beta.1/linux-amd64/nginx-ingress-controller
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/nginx-ingress-controller/1.2.0-beta.1/linux-amd64/nginx-ingress-controller
--- a/Show More
+++ b/Show More