chore(deps): update dependency anchore/syft to v1.5.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
anchore/syft	minor	1.4.1 -> 1.5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

anchore/syft (anchore/syft)

v1.5.0

Compare Source

Added Features

• Add abstraction for adding relationships from package cataloger results [#​2853 @​wagoodman]
• Capture dependencies when parsing SPDX SBOMs [#​2869 @​russellhaering]
• Add python wheel egg relationships [#​2903 @​wagoodman]
• Added functionality to convert major, minor, patch to version [#​2864 @​LaurentGoderre]
• Add support for RPM DB package relationships [#​2872 @​wagoodman]
• Detect fluent-bit binaries [#​2904 #​2905 @​kzantow]
• Add syft config command [#​2598 #​2892 @​kzantow]

Bug Fixes

• Fix DecoderCollection discarding input from non-seekable Readers [#​2878 @​russellhaering]
• Handle GOEXPERIMENTs in go version [#​2893 @​jonjohnsonjr]
• Go Mod Cataloger: Remove Replaced Packages [#​2891 @​russellhaering]
• Use values in relationship To/From fields [#​2871 @​wagoodman]
• Java package names showing up namespaced packages [#​2230]

Additional Changes

• Reduce length of readme, moving lengthy content to the wiki [#​2882 @​popey]
• update spdx license list to 3.24.0 [#​2895 @​spiffcs]

(Full Changelog)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/syft:1.5.0

📦 Image Reference ghcr.io/uniget-org/tools/syft:1.5.0

digest	sha256:221c0bb333da4a5559adf26c783449a83e74953420ec00a4911460ddbbf57684
vulnerabilities
platform	linux/amd64
size	16 MB
packages	185

github.com/opencontainers/runc 1.1.12 (golang) pkg:golang/github.com/opencontainers/runc@1.1.12 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description Withdrawn Advisory This advisory has been withdrawn because it was incorrectly attributed to runc. Please see the issue here for more information. Original Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. This issue has its root in how runc handles Config Annotations lists. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.2.0-rc.1 Fixed version 1.2.0-rc.1 CVSS Score 7.2 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Description A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9273087662.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9273087662.