build(deps): bump github.com/anchore/syft from 0.89.0 to 0.91.0

[dependabot]

Bumps github.com/anchore/syft from 0.89.0 to 0.91.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v0.91.0

Added Features

• Add support for CycloneDX 1.5 [#2120 #2123 @​spiffcs]
• Add support for containerd as an image source [#201 #1793 @​shanedell]
• Support cataloging github workflow & github action usages [#1896 #2140 @​wagoodman]

Bug Fixes

• Allow CycloneDX json input with no components [#2127 @​ahoz]
• Prevent errors from clobbering terminal [#2161 @​kzantow]
• Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @​kzantow]
• SBOMs are not the same on multiple runs of syft [#1944]

Additional Changes

• Switch to stdlib's slices pkg [#2148 @​hainenber]
• Remove unneeded arch switch in unit test [#2156 @​willmurphyscode]
• Update chronicle to v0.8.0 [#2154 @​wagoodman]
• Update to latest stereoscope [#2151 @​spiffcs]
• Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @​spiffcs]
• Add dependency information to conan lockfile parser [#2131 @​Pro]
• Pin and update all workflow dependencies; add permission scopes [#2138 @​spiffcs]
• Enforce race detector [#2122 @​willmurphyscode]

(Full Changelog)

v0.90.0

v0.90.0 (2023-09-11)

Full Changelog

Added Features

• Expose cobra command in cli package [[PR #2097](https://redirect.github.com/Expose cobra command in cli package anchore/syft#2097)] [wagoodman]
• Explicitly test PURL generation against key packages [[Issue #2071](https://redirect.github.com/Explicitly test PURL generation against key packages anchore/syft#2071)]
• Add User-Agent with Syft version during update check [[Issue #2072](https://redirect.github.com/Add User-Agent with Syft version during update check anchore/syft#2072)] [[PR #2100](https://redirect.github.com/feat(cmd/update): add UA header with current ver when check for update anchore/syft#2100)] [hainenber]

Bug Fixes

• fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [[PR #2075](https://redirect.github.com/fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation anchore/syft#2075)] [willmurphyscode]
• Cyclonedx external reference URLs are not validated when encoding [[Issue #2079](https://redirect.github.com/Cyclonedx external reference URLs are not validated when encoding anchore/syft#2079)] [[PR #2091](https://redirect.github.com/fix(cdx): validate external refs before encoding anchore/syft#2091)] [hainenber]

Additional Changes

• Bump the golang.org/x/exp dependency and fix a build breakage. [[PR #2088](https://redirect.github.com/Bump the golang.org/x/exp dependency and fix a build breakage. anchore/syft#2088)] [dlorenc]
• fix: update codeql-analysis for go 1.21 [[PR #2108](https://redirect.github.com/fix: update codeql-analysis for go 1.21 anchore/syft#2108)] [spiffcs]

Commits

• b7fa75d chore: switch to stdlib's slices pkg (#2148)
• 7d0d3e1 fix: prevent errors from clobbering terminal (#2161)
• 58f8c85 Require ordering of relationships when comparing parser output (#2160)
• b8f52d5 chore: stop unit test switch on host arch (#2156)
• ba00f33 chore(deps): bump github.com/github/go-spdx/v2 from 2.1.2 to 2.2.0 (#2158)
• 962ff1e chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#2157)
• 40899ad use annotated tags, update chronicle, fix cache keys (#2154)
• 650f71c chore: update to latest stereoscope (#2151)
• 30885ed chore(deps): bump github/codeql-action from 2.21.7 to 2.21.8 (#2150)
• 51243aa chore(deps): update stereoscope to 41288870305034fade27388afa7326c44eb8ff17 (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #77.