Bump github.com/anchore/syft from 0.80.0 to 0.90.0

[dependabot]

Bumps github.com/anchore/syft from 0.80.0 to 0.90.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v0.90.0

v0.90.0 (2023-09-11)

Full Changelog

Added Features

• Expose cobra command in cli package [[PR #2097](https://redirect.github.com/Expose cobra command in cli package anchore/syft#2097)] [wagoodman]
• Explicitly test PURL generation against key packages [[Issue #2071](https://redirect.github.com/Explicitly test PURL generation against key packages anchore/syft#2071)]
• Add User-Agent with Syft version during update check [[Issue #2072](https://redirect.github.com/Add User-Agent with Syft version during update check anchore/syft#2072)] [[PR #2100](https://redirect.github.com/feat(cmd/update): add UA header with current ver when check for update anchore/syft#2100)] [hainenber]

Bug Fixes

• fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [[PR #2075](https://redirect.github.com/fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation anchore/syft#2075)] [willmurphyscode]
• Cyclonedx external reference URLs are not validated when encoding [[Issue #2079](https://redirect.github.com/Cyclonedx external reference URLs are not validated when encoding anchore/syft#2079)] [[PR #2091](https://redirect.github.com/fix(cdx): validate external refs before encoding anchore/syft#2091)] [hainenber]

Additional Changes

• Bump the golang.org/x/exp dependency and fix a build breakage. [[PR #2088](https://redirect.github.com/Bump the golang.org/x/exp dependency and fix a build breakage. anchore/syft#2088)] [dlorenc]
• fix: update codeql-analysis for go 1.21 [[PR #2108](https://redirect.github.com/fix: update codeql-analysis for go 1.21 anchore/syft#2108)] [spiffcs]

v0.89.0

v0.89.0 (2023-08-31)

Full Changelog

Added Features

• Add registry certificate verification support [[PR #1734](https://redirect.github.com/Add registry certificate verification support  anchore/syft#1734)] [5p2O5pe25ouT]
• Add SYFT_CONFIG environment variable for configuration file path [[Issue #1986](https://redirect.github.com/SYFT_CONFIG environment variable not supported anchore/syft#1986)] [[PR #2001](https://redirect.github.com/chore: update CLI to CLIO anchore/syft#2001)] [kzantow]

Bug Fixes

• Fix quiet flag [[PR #2081](https://redirect.github.com/Fix quiet flag anchore/syft#2081)] [wagoodman]
• Command line flags not overriding configuration file values [[Issue #1143](https://redirect.github.com/Command line flags not overriding configuration file values anchore/syft#1143)] [[PR #2001](https://redirect.github.com/chore: update CLI to CLIO anchore/syft#2001)] [kzantow]
• Django package CPE is not correct [[Issue #1298](https://redirect.github.com/Django package CPE is not correct anchore/syft#1298)] [[PR #2068](https://redirect.github.com/add CPE generation for Django anchore/syft#2068)] [witchcraze]
• Config parsing includes config.yaml in working dir [[Issue #1634](https://redirect.github.com/Config parsing includes config.yaml in working dir anchore/syft#1634)] [[PR #2001](https://redirect.github.com/chore: update CLI to CLIO anchore/syft#2001)] [kzantow]
• Fix a possible panic on universal go binaries [[Issue #2073](https://redirect.github.com/v0.88.0 - runtime error: index out of range [0] anchore/syft#2073)] [[PR #2078](https://redirect.github.com/fix: don't panic on universal go binaries anchore/syft#2078)] [willmurphyscode]
• Disabling catalogers is not working in power user command [[Issue #2074](https://redirect.github.com/Disabling catalogers is not working in power user command anchore/syft#2074)] [[PR #2001](https://redirect.github.com/chore: update CLI to CLIO anchore/syft#2001)] [kzantow]
• Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [[Issue #2077](https://redirect.github.com/Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed anchore/syft#2077)] [[PR #2080](https://redirect.github.com/fix: in some cases, try to use pom info to guess name and version to top level jar anchore/syft#2080)] [willmurphyscode]

v0.88.0

... (truncated)

Commits

• b82c0ff fix(help): power-user help text to indicate it supports file-system (#2113)
• b2be411 chore(deps): bump tibdex/github-app-token from 1 to 2 (#2116)
• ec22f4b chore(deps): update CPE dictionary index (#2114)
• e3c525b chore(deps): update stereoscope to 057dda3667e7f2b5e6ec6716747badd5f403c6de (...
• 3842d28 fix: update codeql-analysis for go 1.21 (#2108)
• 9f22ab6 Bump the golang.org/x/exp dependency and fix a build breakage. (#2088)
• 1315cfd chore(deps): bump actions/checkout from 3 to 4 (#2094)
• 212aa9b chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.7 to 0.4.10 (#2106)
• 46e4ac1 chore(deps): update bootstrap tools to latest versions (#2086)
• 6800a5f chore(deps): update CPE dictionary index (#2089)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[sophiewigmore]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[sophiewigmore]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[sophiewigmore]

@dependabot rebase

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.