Add syft tool

.github/.cspell/project-dictionary.txt

@@ -17,6 +17,7 @@ quickinstall
 rockylinux
 shellcheck
 shfmt
+syft
 udeps
 wasmtime
 watchexec

.github/workflows/ci.yml

@@ -44,19 +44,19 @@ jobs:
         tool:
           # cargo-watch/watchexec-cli is supported by cargo-binstall (through quickinstall)
           # TODO: valgrind installation sometime hangs.
-          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
         include:
           # Note: Specifying the version of valgrind and cargo-binstall is not supported.
           - os: ubuntu-20.04
-            tool: cargo-hack@0.5.24,cargo-llvm-cov@0.5.3,cargo-minimal-versions@0.1.8,cargo-no-dev-deps@0.1.0,parse-changelog@0.5.2,cargo-udeps@0.1.35,cargo-valgrind@2.1.0,cargo-deny@0.13.5,cross@0.2.4,dprint@0.34.1,just@1.9.0,nextest@0.9.11,protoc@3.21.12,shellcheck@0.9.0,shfmt@3.6.0,wasm-pack@0.10.3,wasmtime@4.0.0,mdbook@0.4.25,mdbook-linkcheck@0.7.7,cargo-watch@8.1.1,grcov@0.8.13,watchexec-cli@1.20.5,cargo-tarpaulin@0.25.0,zola@0.16.1
+            tool: cargo-hack@0.5.24,cargo-llvm-cov@0.5.3,cargo-minimal-versions@0.1.8,cargo-no-dev-deps@0.1.0,parse-changelog@0.5.2,cargo-udeps@0.1.35,cargo-valgrind@2.1.0,cargo-deny@0.13.5,cross@0.2.4,dprint@0.34.1,just@1.9.0,nextest@0.9.11,protoc@3.21.12,shellcheck@0.9.0,shfmt@3.6.0,wasm-pack@0.10.3,wasmtime@4.0.0,mdbook@0.4.25,mdbook-linkcheck@0.7.7,cargo-watch@8.1.1,grcov@0.8.13,watchexec-cli@1.20.5,cargo-tarpaulin@0.25.0,zola@0.16.1,syft@0.83.0
           - os: ubuntu-20.04
-            tool: cargo-hack@0.5,cargo-llvm-cov@0.5,cargo-minimal-versions@0.1,cargo-no-dev-deps@0.1,parse-changelog@0.5,cargo-udeps@0.1,cargo-valgrind@2.1,cargo-deny@0.13,cross@0.2,dprint@0.34,just@1.9,nextest@0.9,protoc@3.21,shellcheck@0.9,shfmt@3.5,wasm-pack@0.10,wasmtime@6.0,mdbook@0.4,mdbook-linkcheck@0.7,cargo-watch@8.1,grcov@0.8,watchexec-cli@1.20,cargo-tarpaulin@0.25,zola@0.16
+            tool: cargo-hack@0.5,cargo-llvm-cov@0.5,cargo-minimal-versions@0.1,cargo-no-dev-deps@0.1,parse-changelog@0.5,cargo-udeps@0.1,cargo-valgrind@2.1,cargo-deny@0.13,cross@0.2,dprint@0.34,just@1.9,nextest@0.9,protoc@3.21,shellcheck@0.9,shfmt@3.5,wasm-pack@0.10,wasmtime@6.0,mdbook@0.4,mdbook-linkcheck@0.7,cargo-watch@8.1,grcov@0.8,watchexec-cli@1.20,cargo-tarpaulin@0.25,zola@0.16,syft@0.83
           - os: ubuntu-20.04
             tool: cargo-valgrind@2, just@1,protoc@3 , shfmt@3 ,wasmtime@7,cargo-watch@8,watchexec-cli@1
           - os: macos-11
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
           - os: windows-2019
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     steps:
@@ -104,25 +104,25 @@ jobs:
           - fedora:latest # glibc 2.36 (as of fedora 37)
         tool:
           # valgrind: installing snap to container is difficult...
-          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
         include:
           # glibc < 2.31
           # zola don't provide prebuilt binaries for musl or old glibc host.
           - container: ubuntu:18.04 # glibc 2.27
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
           - container: debian:10-slim # glibc 2.28
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
           - container: rockylinux:8 # glibc 2.28
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
           - container: rockylinux:8-minimal # glibc 2.28
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
           # glibc < 2.27 or musl
           - container: centos:7 # glibc 2.17
             # protoc,valgrind,wasmtime,mdbook-linkcheck,cargo-watch,zola don't provide prebuilt binaries for musl or old glibc host.
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin,syft
           - container: alpine:latest # musl 1.2.3 (as of alpine 3.17)
             # protoc,valgrind,wasmtime,mdbook-linkcheck,cargo-watch,zola don't provide prebuilt binaries for musl host.
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin,syft
     runs-on: ubuntu-latest
     timeout-minutes: 60
     container: ${{ matrix.container }}

README.md

@@ -105,6 +105,7 @@ https://spdx.org/licenses
 | [**wasm-pack**](https://github.com/rustwasm/wasm-pack) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/rustwasm/wasm-pack/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/rustwasm/wasm-pack/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/rustwasm/wasm-pack/blob/HEAD/LICENSE-MIT) |
 | [**wasmtime**](https://github.com/bytecodealliance/wasmtime) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/bytecodealliance/wasmtime/releases) | Linux, macOS, Windows | [Apache-2.0 WITH LLVM-exception](https://github.com/bytecodealliance/wasmtime/blob/HEAD/LICENSE) |
 | [**zola**](https://github.com/getzola/zola) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/getzola/zola/releases) | Linux, macOS, Windows | [MIT](https://github.com/getzola/zola/blob/HEAD/LICENSE) |
+| [**syft**](https://github.com/anchore/syft) | `/usr/local/bin` | [Github Releases](https://github.com/anchore/syft/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/anchore/syft/blob/main/LICENSE) |
 
 If `$CARGO_HOME/bin` is not available, Rust-related binaries will be installed to `$HOME/.cargo/bin`.<br>
 If `$HOME/.cargo/bin` is not available, Rust-related binaries will be installed to `/usr/local/bin`.<br>

tools/codegen/base/syft.json

@@ -0,0 +1,24 @@
+{
+  "repository": "https://github.com/anchore/syft",
+  "tag_prefix": "v",
+  "bin_dir": "/usr/local/bin",
+  "bin": "${package}${exe}",
+  "version_range": ">= 0.83.0",
+  "platform": {
+    "x86_64_macos": {
+      "asset_name": "${package}_${version}_darwin_amd64.tar.gz"
+    },
+    "aarch64_macos": {
+      "asset_name": "${package}_${version}_darwin_arm64.tar.gz"
+    },
+    "x86_64_windows": {
+      "asset_name": "${package}_${version}_windows_amd64.zip"
+    },
+    "x86_64_linux_musl": {
+      "asset_name": "${package}_${version}_linux_amd64.tar.gz"
+    },
+    "aarch64_linux_musl": {
+      "asset_name": "${package}_${version}_linux_arm64.tar.gz"
+    }
+  }
+}