Merge branch 'main' into 3435-syft

* main: (67 commits)
  chore(deps): bump github/codeql-action from 3.28.7 to 3.28.8 (#3634)
  docs: update descriptions with correct options (#3630)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.8 to 0.5.9 (#3627)
  chore(deps): bump github/codeql-action from 3.28.6 to 3.28.7 (#3628)
  feat: update licenses to including license content when SPDX expressions are unable to be determined (#3366)
  fix: update namespace value for OpenSUSE distros (#3615)
  chore(deps): bump github/codeql-action from 3.28.5 to 3.28.6 (#3625)
  chore(deps): update CPE dictionary index (#3620)
  chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.0 to 4.8.1 (#3621)
  chore(deps): bump github/codeql-action from 3.28.4 to 3.28.5 (#3622)
  chore(deps): bump github/codeql-action from 3.28.3 to 3.28.4 (#3618)
  chore(deps): bump anchore/sbom-action from 0.17.9 to 0.18.0 (#3619)
  chore(deps): update tools to latest versions (#3607)
  chore(deps): bump github/codeql-action from 3.28.2 to 3.28.3 (#3608)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (#3609)
  chore(deps): bump github.com/docker/docker (#3610)
  chore(deps): bump actions/setup-go in /.github/actions/bootstrap (#3612)
  chore(deps): bump actions/cache in /.github/actions/bootstrap (#3613)
  chore(ci): fix composite GitHub action path in dependabot config (#3611)
  chore(deps): update tools to latest versions (#3602)
  ...

.binny.yaml

@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v1.62.2
+      want: v1.63.4
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v2.4.8
+      want: v2.6.1
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -103,31 +103,31 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.40.1
+      want: v3.41.0
     method: github-release
     with:
       repo: go-task/task
 
   # used for triggering a release
   - name: gh
     version:
-      want: v2.63.2
+      want: v2.65.0
     method: github-release
     with:
       repo: cli/cli
 
   # used to upload test fixture cache
   - name: oras
     version:
-      want: v1.2.1
+      want: v1.2.2
     method: github-release
     with:
       repo: oras-project/oras
 
   # used to upload test fixture cache
   - name: yq
     version:
-      want: v4.44.6
+      want: v4.45.1
     method: github-release
     with:
       repo: mikefarah/yq

.github/actions/bootstrap/action.yaml

@@ -29,15 +29,15 @@ runs:
   using: "composite"
   steps:
     # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
       if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}
 
     - name: Restore tool cache
       if: inputs.tools == 'true'
       id: tool-cache
-      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ github.workspace }}/.tool
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
@@ -60,7 +60,7 @@ runs:
 
     - name: Restore ORAS cache from github actions
       if: inputs.download-test-fixture-cache == 'true'
-      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ github.workspace }}/.tmp/oras-cache
         key: ${{ inputs.cache-key-prefix }}-oras-cache

.github/dependabot.yml

@@ -19,7 +19,7 @@ updates:
       - "dependencies"
 
   - package-ecosystem: "github-actions"
-    directory: "/.github/actions/boostrap"
+    directory: "/.github/actions/bootstrap"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10

.github/workflows/benchmark-testing.yaml

@@ -39,13 +39,13 @@ jobs:
           OUTPUT="${OUTPUT//$'\r'/'%0D'}" # URL encode all '\r' characters
           echo "result=$OUTPUT" >> $GITHUB_OUTPUT
 
-      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: benchmark-test-results
           path: test/results/**/*
 
       - name: Update PR benchmark results comment
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 #v2.9.1
         continue-on-error: true
         with:
           header: benchmark

.github/workflows/codeql-analysis.yml

@@ -39,13 +39,13 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
     - name: Install Go
-      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a #v5.2.0
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 #v5.3.0
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae #v3.27.9
+      uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a #v3.28.8
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae #v3.27.9
+      uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a #v3.28.8
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae #v3.27.9
+      uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a #v3.28.8

.github/workflows/detect-schema-changes.yaml

@@ -40,15 +40,15 @@ jobs:
 
       - name: Delete existing comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 #v2.9.1
         with:
           header: ${{ env.COMMENT_HEADER }}
           hide: true
           hide_classify: "OUTDATED"
 
       - name: Add comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 #v2.9.1
         with:
           header: ${{ env.COMMENT_HEADER }}
           path: ${{ env.CI_COMMENT_FILE }}

.github/workflows/release.yaml

@@ -148,7 +148,7 @@ jobs:
           # for updating brew formula in anchore/homebrew-syft
           GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
 
-      - uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 #v0.17.9
+      - uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 #v0.18.0
         continue-on-error: true
         with:
           file: go.mod

.github/workflows/update-anchore-dependencies.yml

@@ -35,7 +35,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+      - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
         with:
           signoff: true
           delete-branch: true

.github/workflows/update-bootstrap-tools.yml

@@ -49,7 +49,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+      - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
         with:
           signoff: true
           delete-branch: true

.github/workflows/update-cpe-dictionary-index.yml

@@ -33,7 +33,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+      - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
         with:
           signoff: true
           delete-branch: true

.golangci.yaml

@@ -1,5 +1,6 @@
 issues:
   max-same-issues: 25
+  uniq-by-line: false
 
   # TODO: enable this when we have coverage on docstring comments
 #  # The list of ids of default excludes to include or disable.
@@ -60,8 +61,6 @@ linters-settings:
   gosec:
     excludes:
       - G115
-output:
-  uniq-by-line: false
 run:
   timeout: 10m
   tests: false

README.md

@@ -67,7 +67,7 @@ choco install syft -y
 
 ### Nix
 
-**Note**: Nix packaging of Syft is [community maintained](https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/syft/default.nix). Syft is available in the [stable channel](https://wiki.nixos.org/wiki/Nix_channels#The_official_channels) since NixOS `22.05`.
+**Note**: Nix packaging of Syft is [community maintained](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/sy/syft/package.nix). Syft is available in the [stable channel](https://wiki.nixos.org/wiki/Nix_channels#The_official_channels) since NixOS `22.05`.
 
 ```bash
 nix-env -i syft
@@ -146,6 +146,7 @@ Note that flags using the @<version> can be used for earlier versions of each sp
 - Rust (cargo.lock)
 - Swift (cocoapods, swift-package-manager)
 - Wordpress plugins
+- Terraform providers (.terraform.lock.hcl)
 
 ## Documentation
 

Taskfile.yaml

@@ -27,7 +27,7 @@ vars:
     sh: uname -s | tr '[:upper:]' '[:lower:]'
   ARCH:
     sh: |
-      [ "$(uname -m)" = "x86_64" ] && echo "amd64_v1" || echo $(uname -m)
+      [ "$(uname -m)" = "x86_64" ] && echo "amd64_v1" || { [ "$(uname -m)" = "aarch64" ] && echo "arm64_v8.0" || echo $(uname -m); }
   PROJECT_ROOT:
     sh: echo $PWD
   # note: the snapshot dir must be a relative path starting with ./
@@ -237,8 +237,7 @@ tasks:
     cmds:
       - cmd: "echo 'testing binary: {{ .SNAPSHOT_BIN }}'"
         silent: true
-
-      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found' && false)"
+      - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found for {{ .SNAPSHOT_BIN }}' && false)"
         silent: true
 
       - "go test -count=1 -timeout=15m -v ./test/cli"
@@ -452,7 +451,7 @@ tasks:
       total_size=$(find . | grep cache | grep tar | xargs du -c | grep total | awk '{print $1}')
       find . | grep cache | grep tar | xargs du
       echo "total $total_size KB"
-      
+
       if [ "$total_size" -gt 1048576 ]; then
         echo 'docker cache is larger than 1GB'
         exit 1

cmd/syft/internal/options/catalog.go

@@ -156,6 +156,8 @@ func (cfg Catalog) ToPackagesConfig() pkgcataloging.Config {
 		Golang: golang.DefaultCatalogerConfig().
 			WithSearchLocalModCacheLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Go, task.Golang), cfg.Golang.SearchLocalModCacheLicenses)).
 			WithLocalModCacheDir(cfg.Golang.LocalModCacheDir).
+			WithSearchLocalVendorLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Go, task.Golang), cfg.Golang.SearchLocalVendorLicenses)).
+			WithLocalVendorDir(cfg.Golang.LocalVendorDir).
 			WithSearchRemoteLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Go, task.Golang), cfg.Golang.SearchRemoteLicenses)).
 			WithProxy(cfg.Golang.Proxy).
 			WithNoProxy(cfg.Golang.NoProxy).

cmd/syft/internal/options/golang.go

@@ -10,6 +10,8 @@ import (
 type golangConfig struct {
 	SearchLocalModCacheLicenses *bool                         `json:"search-local-mod-cache-licenses" yaml:"search-local-mod-cache-licenses" mapstructure:"search-local-mod-cache-licenses"`
 	LocalModCacheDir            string                        `json:"local-mod-cache-dir" yaml:"local-mod-cache-dir" mapstructure:"local-mod-cache-dir"`
+	SearchLocalVendorLicenses   *bool                         `json:"search-local-vendor-licenses" yaml:"search-local-vendor-licenses" mapstructure:"search-local-vendor-licenses"`
+	LocalVendorDir              string                        `json:"local-vendor-dir" yaml:"local-vendor-dir" mapstructure:"local-vendor-dir"`
 	SearchRemoteLicenses        *bool                         `json:"search-remote-licenses" yaml:"search-remote-licenses" mapstructure:"search-remote-licenses"`
 	Proxy                       string                        `json:"proxy" yaml:"proxy" mapstructure:"proxy"`
 	NoProxy                     string                        `json:"no-proxy" yaml:"no-proxy" mapstructure:"no-proxy"`
@@ -24,6 +26,9 @@ func (o *golangConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
 	descriptions.Add(&o.SearchLocalModCacheLicenses, `search for go package licences in the GOPATH of the system running Syft, note that this is outside the
 container filesystem and potentially outside the root of a local directory scan`)
 	descriptions.Add(&o.LocalModCacheDir, `specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod`)
+	descriptions.Add(&o.SearchLocalVendorLicenses, `search for go package licences in the vendor folder on the system running Syft, note that this is outside the
+container filesystem and potentially outside the root of a local directory scan`)
+	descriptions.Add(&o.LocalVendorDir, `specify an explicit go vendor directory, if unset this defaults to ./vendor`)
 	descriptions.Add(&o.SearchRemoteLicenses, `search for go package licences by retrieving the package from a network proxy`)
 	descriptions.Add(&o.Proxy, `remote proxy to use when retrieving go packages from the network,
 if unset this defaults to $GOPROXY followed by https://proxy.golang.org`)
@@ -49,6 +54,8 @@ func defaultGolangConfig() golangConfig {
 	return golangConfig{
 		SearchLocalModCacheLicenses: nil, // this defaults to false, which is the API default
 		LocalModCacheDir:            def.LocalModCacheDir,
+		SearchLocalVendorLicenses:   nil, // this defaults to false, which is the API default
+		LocalVendorDir:              def.LocalVendorDir,
 		SearchRemoteLicenses:        nil, // this defaults to false, which is the API default
 		Proxy:                       strings.Join(def.Proxies, ","),
 		NoProxy:                     strings.Join(def.NoProxy, ","),

cmd/syft/internal/options/pkg.go

@@ -16,9 +16,9 @@ var _ interface {
 } = (*packageConfig)(nil)
 
 func (o *packageConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
-	descriptions.Add(&o.SearchUnindexedArchives, `search within archives that do contain a file index to search against (zip)
+	descriptions.Add(&o.SearchIndexedArchives, `search within archives that do contain a file index to search against (zip)
 note: for now this only applies to the java package cataloger`)
-	descriptions.Add(&o.SearchIndexedArchives, `search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+	descriptions.Add(&o.SearchUnindexedArchives, `search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
 note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
 note: for now this only applies to the java package cataloger`)
 	descriptions.Add(&o.ExcludeBinaryOverlapByOwnership, `allows users to exclude synthetic binary packages from the sbom

cmd/syft/internal/test/integration/catalog_packages_cases_test.go

@@ -418,6 +418,14 @@ var dirOnlyTestCases = []testCase{
 			"ocaml-base-compiler": "4.14.0",
 		},
 	},
+	{
+		name:        "find terraform packages",
+		pkgType:     pkg.TerraformPkg,
+		pkgLanguage: pkg.Go,
+		pkgInfo: map[string]string{
+			"registry.terraform.io/hashicorp/aws": "5.72.1",
+		},
+	},
 }
 
 var commonTestCases = []testCase{

cmd/syft/internal/test/integration/catalog_packages_test.go

@@ -82,6 +82,7 @@ func TestPkgCoverageImage(t *testing.T) {
 	definedPkgs.Remove(string(pkg.OpamPkg))
 	definedPkgs.Remove(string(pkg.GithubActionPkg))
 	definedPkgs.Remove(string(pkg.GithubActionWorkflowPkg))
+	definedPkgs.Remove(string(pkg.TerraformPkg))
 
 	var cases []testCase
 	cases = append(cases, commonTestCases...)