chore(deps): update dependency anchore/syft to v1.6.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
anchore/syft	minor	1.5.0 -> 1.6.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

anchore/syft (anchore/syft)

v1.6.0

Compare Source

Added Features

• Add relationships for go binary packages [#​2912 @​wagoodman]
• Add classifier for util-linux [#​2933 @​LaurentGoderre]
• Lua: Add support for more advanced syntax [#​2908 @​LaurentGoderre]
• add license field to ELF binary package metadata [#​2890 @​brian-ebarb]
• install.sh: check checksums file's signature [#​2884 #​2941 @​wagoodman]
• Detect ELF package notes from fedora binaries [#​2713 #​2939 @​wagoodman]

Bug Fixes

• Use redhat as namespace for redhat rpms [#​2914 @​ralphbean]
• Close sqlite driver after testing sqlite availability [#​2922 @​ttc0419]
• syft does not find anything in archives if /tmp is a tmpfs [#​2894 #​2918 @​willmurphyscode]
• Scanning a git repository folder present in /tmp produce an empty sbom [#​2847 #​2918 @​willmurphyscode]

Additional Changes

• update unit tests to use pinned patch version [#​2932 @​spiffcs]
• fix comments and spelling [#​2920 @​dufucun]

(Full Changelog)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/syft:1.6.0

📦 Image Reference ghcr.io/uniget-org/tools/syft:1.6.0

digest	sha256:14550fbccdd23cb79583bad9aab9a11861e509f8a34ed8a08322fc1cbf7a6835
vulnerabilities
platform	linux/amd64
size	16 MB
packages	185

github.com/opencontainers/runc 1.1.12 (golang) pkg:golang/github.com/opencontainers/runc@1.1.12 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description Withdrawn Advisory This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information. Original Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description On CRI-O, an arbitrary systemd property can be injected via a Pod annotation: --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: </blockquote> </details> </details></td></tr> <tr><td valign="top"> <details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <img alt="unspecified: 2" src="https://img.shields.io/badge/U-2-lightgrey"/><strong>stdlib</strong> <code>1.22.3</code> (golang)</summary> <small><code>pkg:golang/stdlib@1.22.3</code></small><br/> <a href="https://scout.docker.com/v/CVE-2024-24790?s=golang&n=stdlib&t=golang&vr=%3E%3D1.22.0-0%2C%3C1.22.4"><img alt="unspecified : CVE--2024--24790" src="https://img.shields.io/badge/CVE--2024--24790-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <table> <tr><td>Affected range</td><td><code>>=1.22.0-0<br/><1.22.4</code></td></tr> <tr><td>Fixed version</td><td><code>1.22.4</code></td></tr></table> <details><summary>Description</summary> <blockquote> The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2024-24789?s=golang&n=stdlib&t=golang&vr=%3E%3D1.22.0-0%2C%3C1.22.4"><img alt="unspecified : CVE--2024--24789" src="https://img.shields.io/badge/CVE--2024--24789-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> <table> <tr><td>Affected range</td><td><code>>=1.22.0-0<br/><1.22.4</code></td></tr> <tr><td>Fixed version</td><td><code>1.22.4</code></td></tr></table> <details><summary>Description</summary> <blockquote> The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. </blockquote> </details> </details></td></tr> </table>

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9452159388.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9452159388.