Merge branch 'main' into 2954-poetry-package-tree

* main:
  chore(deps): update tools to latest versions (#2961)
  chore(deps): bump github/codeql-action from 3.25.9 to 3.25.10 (#2964)
  feat: index known CPEs for wordpress plugins and themes (#2963)
  fix(golang): improve version extraction from ldflags for pingcap TiDB (#2962)
  chore(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#2955)
  chore(deps): bump github/codeql-action from 3.25.8 to 3.25.9 (#2956)
  fix: separate golang license caches from mod dir (#2852)
  chore(deps): bump github.com/vbatts/go-mtree from 0.5.3 to 0.5.4 (#2952)
  chore(deps): update tools to latest versions (#2949)
  chore(deps): bump modernc.org/sqlite from 1.30.0 to 1.30.1 (#2950)

.binny.yaml

@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v2.0.0
+      want: v2.0.1
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -111,7 +111,7 @@ tools:
   # used for triggering a release
   - name: gh
     version:
-      want: v2.50.0
+      want: v2.51.0
     method: github-release
     with:
       repo: cli/cli

.github/workflows/benchmark-testing.yaml

@@ -17,7 +17,7 @@ jobs:
     # the job by event.
     steps:
       - name: Checkout code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

.github/workflows/codeql-analysis.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
     - name: Install Go
       uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 #v5.0.1
@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff #v3.25.8
+      uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 #v3.25.10
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff #v3.25.8
+      uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 #v3.25.10
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff #v3.25.8
+      uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 #v3.25.10

.github/workflows/detect-schema-changes.yaml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
 
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - run: python .github/scripts/labeler.py
         env:

.github/workflows/release-version-file.yaml

@@ -20,7 +20,7 @@ jobs:
   release:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Update version file
         run: make ci-release-version-file

.github/workflows/release.yaml

@@ -15,7 +15,7 @@ jobs:
     environment: release
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Check if running on main
         if: github.ref != 'refs/heads/main'
@@ -105,7 +105,7 @@ jobs:
       # required for goreleaser signs section with cosign
       id-token: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
         with:
           fetch-depth: 0
 

.github/workflows/update-bootstrap-tools.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

.github/workflows/update-cpe-dictionary-index.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

.github/workflows/update-stereoscope-release.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 #v5.0.1
         with:

.github/workflows/validations.yaml

@@ -17,7 +17,7 @@ jobs:
     name: "Static analysis"
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -31,7 +31,7 @@ jobs:
     name: "Unit tests"
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -87,7 +87,7 @@ jobs:
     name: "Integration tests"
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -109,7 +109,7 @@ jobs:
     name: "Build snapshot artifacts"
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -139,7 +139,7 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -190,7 +190,7 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.5.0
 
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -234,7 +234,7 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

cmd/syft/internal/commands/attest.go

@@ -43,6 +43,7 @@ type attestOptions struct {
 	options.UpdateCheck `yaml:",inline" mapstructure:",squash"`
 	options.Catalog     `yaml:",inline" mapstructure:",squash"`
 	Attest              options.Attest `yaml:"attest" mapstructure:"attest"`
+	Cache               options.Cache  `json:"-" yaml:"cache" mapstructure:"cache"`
 }
 
 func Attest(app clio.Application) *cobra.Command {
@@ -77,6 +78,7 @@ func defaultAttestOptions() attestOptions {
 		Output:      defaultAttestOutputOptions(),
 		UpdateCheck: options.DefaultUpdateCheck(),
 		Catalog:     options.DefaultCatalog(),
+		Cache:       options.DefaultCache(),
 	}
 }
 

cmd/syft/internal/commands/scan.go

@@ -68,13 +68,15 @@ type scanOptions struct {
 	options.Output      `yaml:",inline" mapstructure:",squash"`
 	options.UpdateCheck `yaml:",inline" mapstructure:",squash"`
 	options.Catalog     `yaml:",inline" mapstructure:",squash"`
+	Cache               options.Cache `json:"-" yaml:"cache" mapstructure:"cache"`
 }
 
 func defaultScanOptions() *scanOptions {
 	return &scanOptions{
 		Output:      options.DefaultOutput(),
 		UpdateCheck: options.DefaultUpdateCheck(),
 		Catalog:     options.DefaultCatalog(),
+		Cache:       options.DefaultCache(),
 	}
 }
 

cmd/syft/internal/options/cache.go

@@ -0,0 +1,122 @@
+package options
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/adrg/xdg"
+	"github.com/mitchellh/go-homedir"
+
+	"github.com/anchore/clio"
+	"github.com/anchore/syft/internal/cache"
+	"github.com/anchore/syft/internal/log"
+)
+
+// Cache provides configuration for the Syft caching behavior
+type Cache struct {
+	Dir string `yaml:"dir" mapstructure:"dir"`
+	TTL string `yaml:"ttl" mapstructure:"ttl"`
+}
+
+func (c *Cache) DescribeFields(descriptions clio.FieldDescriptionSet) {
+	descriptions.Add(&c.Dir, "root directory to cache any downloaded content")
+	descriptions.Add(&c.TTL, "time to live for cached data")
+}
+
+func (c *Cache) PostLoad() error {
+	if c.Dir != "" {
+		ttl, err := parseDuration(c.TTL)
+		if err != nil {
+			log.Warnf("unable to parse duration '%v', using default (%s) due to: %v", c.TTL, durationToString(defaultTTL()), err)
+			ttl = defaultTTL()
+		}
+		dir, err := homedir.Expand(c.Dir)
+		if err != nil {
+			log.Warnf("unable to expand cache directory %s: %v", c.Dir, err)
+			cache.SetManager(cache.NewInMemory(ttl))
+		} else {
+			m, err := cache.NewFromDir(dir, ttl)
+			if err != nil {
+				log.Warnf("unable to get filesystem cache at %s: %v", c.Dir, err)
+				cache.SetManager(cache.NewInMemory(ttl))
+			} else {
+				cache.SetManager(m)
+			}
+		}
+	}
+	return nil
+}
+
+var _ interface {
+	clio.PostLoader
+	clio.FieldDescriber
+} = (*Cache)(nil)
+
+func DefaultCache() Cache {
+	return Cache{
+		Dir: defaultDir(),
+		TTL: durationToString(defaultTTL()),
+	}
+}
+
+func defaultTTL() time.Duration {
+	return 7 * 24 * time.Hour
+}
+
+func defaultDir() string {
+	var err error
+	cacheRoot := xdg.CacheHome
+	if cacheRoot == "" {
+		cacheRoot, err = homedir.Dir()
+		if err != nil {
+			cacheRoot = os.TempDir()
+			log.Debugf("unable to get stable cache directory due to: %v, defaulting cache to temp dir: %s", err, cacheRoot)
+		} else {
+			cacheRoot = filepath.Join(cacheRoot, ".cache")
+		}
+	}
+
+	return filepath.Join(cacheRoot, "syft")
+}
+
+func durationToString(duration time.Duration) string {
+	days := int64(duration / (24 * time.Hour))
+	remain := duration % (24 * time.Hour)
+	out := ""
+	if days > 0 {
+		out = fmt.Sprintf("%vd", days)
+	}
+	if remain != 0 {
+		out += remain.String()
+	}
+	if out == "" {
+		return "0"
+	}
+	return out
+}
+
+var whitespace = regexp.MustCompile(`\s+`)
+
+func parseDuration(duration string) (time.Duration, error) {
+	duration = strings.ToLower(whitespace.ReplaceAllString(duration, ""))
+	parts := strings.SplitN(duration, "d", 2)
+	var days time.Duration
+	var remain time.Duration
+	var err error
+	if len(parts) > 1 {
+		numDays, daysErr := strconv.Atoi(parts[0])
+		if daysErr != nil {
+			return 0, daysErr
+		}
+		days = time.Duration(numDays) * 24 * time.Hour
+		remain, err = time.ParseDuration(parts[1])
+	} else {
+		remain, err = time.ParseDuration(duration)
+	}
+	return days + remain, err
+}