* chore(ci): switch to small go image

Context: p95 duration for this job over the last 90 days is 2m 17s

Solution: Switch from 2.3Gb image to generic 513mb image.

Fetching the `bastiandoetsch209/cli-build` image can increase
the Job time by ~60 seconds if the image is not cached.

```
Warning: No authentication provided, using CircleCI credentials
for pulls from Docker Hub.
image cache not found on this host, downloading bastiandoetsch209/cli-build:20240214-145818
…
bastiandoetsch209/cli-build:20240214-145818:
  using image bastiandoetsch209/cli-build@sha256:1504fdbb34f02aab15475c3eacf8c0fc82be83059cda435b91327e43a98cb863
pull stats: download 2.279GiB in 23.682s (98.54MiB/s), extract 2.31GiB in 58.549s (40.39MiB/s)
```

Even pipelines run within minutes of each other do not necessarily hit the same image cache.
The caching layer at use here is entirely opaque to me, but the observed affects are
that the `Spin up environment` step can take either 0 or 60 seconds.

Switching to one of the Circle CI provided images which also tend to be smaller could help here.
Perhaps the inscrutable image caching is more likely to be optimised for their own images.

* chore(ci): removes unused dep to speed up feedback cycle
i
The test-go job has dependency on the artifacts generated as
part of the prepare-build job. Running this asap to reduce time
to results.

As of Composer v2.7.2 the tool will emit an error
if the version has not been defined on the root composer.json
https://github.com/composer/composer/releases/tag/2.7.2

Windows is the slowest test run, a problem made worse
by the time consuming build process that runs before it.

Perhaps a short term workaround until we have time to
optimise the build step is to increase the number of shards.

* fix: validate PR title

* chore: introduce linting for GitHub PR titles

* chore: update node for danger job

* chore: attempt at tracking edits to PRs

* fix: add support for development python versions

* test: explicitly state project version (#5108)

As of Composer v2.7.2 the tool will emit an error
if the version has not been defined on the root composer.json
https://github.com/composer/composer/releases/tag/2.7.2

* chore: introduce script to help create release (#5107)

---------

Co-authored-by: Luke Watts <luke@snyk.io>

Co-authored-by: Avishagp <noreply@snyk.io>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

- feat: support verbose for maven

Support passing -Dverbose to resolve omitted dependencies using maven-dependency-plugin.

When verbose is being used execute a specific version of the maven-dependency-plugin.
This is becuase on lower version of this plugin outputType=dot is not supported, and it will output a tree.

When verbose is on skip pruning and ensure all dependency lines are traversed fully, using breadth first, first in wins for version resolution.

- fix: record and use visited dependency information

In preparation for supporting -Dverbose the breadth first search needs to retain
previously visited dependency information.

At the moment we record whether a dependency has been seen (true/false)
based on the maven graph node id. This id contains the dependency version.
For example 'com.example:my-app:jar:jdk8:1.2.3:compile'.

However when maven is determining whether a dependency has already been
seen only four properties are used:

* groupId
* artifactId
* type
* classifier (optional)

These are the properties that uniquely identify a dependency in Maven.

Changing visited to be keyed by these four properties instead.

In addition we then record the parsed dependency for these visited dependencies
so that we can use that information when adding and connecting the dep-graph nodes.

The effect is that if a duplicate node is found, the previously visited version
is preferred regardless of what the duplicate node is set to.

This doesn't really effect the current implementation because maven-dependency-plugin
hides duplicates. Another PR will start to support -Dverbose where this becomes
important that we select the effective version being resolved by Maven.

* chore: add a simple script to install dev tools

* chore: use Brewfile

* chore: create create-release script to create/update release branches

* chore: push patch branch in create-release.sh

* chore: can dry-run create-release.sh

CLI-166

* chore: allow unknown flags for code test

* chore(dep): bump gaf to latest

* chore: introduce go entry point for snyk code test

* test: switch to validating output against previous run

---------

Co-authored-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

…[CLI-73] (#5093)

* fix: Support large json data structures via --json

---------

Co-authored-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

- Updated `snyk sbom` to accept CycloneDX 1.5
- Updated `snyk container sbom` to accept CycloneDX 1.5

Co-authored-by: Paul Rosca <paul.rosca@snyk.io>

Co-authored-by: PeterSchafer <noreply@snyk.io>

* refactor: mark less recommended path as deprecated

* chore: introduce test helper to isolate port selection

* refactor: switch to using helper to determine port

We need to know about the port ahead of time so that we can
use it in our configuration. This supports iterating on fixed
ports to random ports so we can support running in parallel and
ensure no collision between our tests.

* chore: apply formatting

* chore(deps): upgrade jest to latest

* test: update snapshot

* test: migrate code tests to acceptance

* test: succeed testing with correct exit code - with sarif oputput and no markdown

* test: track analytics are called added

* test: should fail - when server returns error codes

* test: Always calls code-client with url coming from sastSettings

* chore: address lint issues

Co-authored-by: Avishagp <noreply@snyk.io>

These files are not tracked by git and result in a noticeable
lag in prettier whilst they are being processed.

See here for an example of the ~4.5second delay caused by prettier.

```
.tap/coverage/01fec6e5-492e-4f01-baa6-69022efbebfc.json 15ms
.tap/coverage/05a96cf2-7cea-4e31-8d82-745c88fbd122.json 224ms
.tap/coverage/093b21d5-b8a4-4dd1-9815-e669729363b2.json 80ms
.tap/coverage/4c57c24d-61e9-41d8-912a-8944b9e3dd85.json 15ms
.tap/coverage/51be6d29-8498-42b5-b648-4331a8cc1620.json 2430ms
.tap/coverage/77a86007-79d2-403a-9fd0-0099176628eb.json 58ms
.tap/coverage/ad188bc4-8e9f-42ed-bdbb-febdf9e2fd70.json 2213ms
.tap/coverage/e3b30972-2569-41f3-a2f0-0b516524c56e.json 56ms
.tap/coverage/e4e079ea-f384-434c-8a8f-430f6bda7501.json 16ms
.tap/coverage/ec4b832d-d31c-40b7-8657-48b874219100.json 18ms
.tap/coverage/f47299fe-8a09-46ac-99f8-33209e0bb687.json 5ms
.tap/processinfo/01fec6e5-492e-4f01-baa6-69022efbebfc.json 4ms
.tap/processinfo/05a96cf2-7cea-4e31-8d82-745c88fbd122.json 5ms
.tap/processinfo/093b21d5-b8a4-4dd1-9815-e669729363b2.json 4ms
.tap/processinfo/4c57c24d-61e9-41d8-912a-8944b9e3dd85.json 3ms
.tap/processinfo/51be6d29-8498-42b5-b648-4331a8cc1620.json 5ms
.tap/processinfo/77a86007-79d2-403a-9fd0-0099176628eb.json 4ms
.tap/processinfo/ad188bc4-8e9f-42ed-bdbb-febdf9e2fd70.json 5ms
.tap/processinfo/e3b30972-2569-41f3-a2f0-0b516524c56e.json 4ms
.tap/processinfo/e4e079ea-f384-434c-8a8f-430f6bda7501.json 3ms
.tap/processinfo/ec4b832d-d31c-40b7-8657-48b874219100.json 4ms
.tap/processinfo/f47299fe-8a09-46ac-99f8-33209e0bb687.json 3ms
```

…5149)

Upgrade snyk-iac-test to v0.51.3.  Changes:

- Print scan URL to debug output after uploading report.
- Fix panic on invalid arm input
- Minor fixes in Policy-Engine

…dows [IDE-90] (#5155)

This safe-guards and enforces that global ignores functionality has the necessary commands available.

…#5159)

* feat: parse workflow data to determine errors

* fix: switch to align with finalised schema

* chore(deps): bump gaf to latest

* test: refactor to support integration test

* fix: introduce custom error for storing exit code

* chore: adjust wording on json error

* test: update to match new error

* chore: remove file

* chore(deps): update go-application-framework to latest

* chore: reorder imports

* chore: remove unused code

* refactor: switch to structured test data

* chore: fix formatting

* chore: rename to include global prefix

* fix: switch to content_type ref

* chore: remove unused file

* refactor: switch to exported type

* refactor: introduce tests for displayError

We want to ensure that nothing is displayed for
the new Error being generated from TestSummary payload

* test: switch to NewInMemory configuration

* fix: display error logic to handle ExitCode errors

* fix: broken import

* test: remove defunct test

---------

Co-authored-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>

…5164)

…ext output (#5142)

…5170)

… mechanism (#5174)

* feat: snyk woof ro language support and tests

* chore: use jest table tests instead of forEach

* feat(sbom): Introduce experimental sbom test command

---------

Co-authored-by: Tim Pickles <tim.pickles@snyk.io>

Co-authored-by: mcombuechen <noreply@snyk.io>

* chore(ci): enable stable release channels

* chore: add release scripts to makefile

* chore: add additional instructions to prepare-release

* chore: run formatter after generating release notes

* chore: remove unused variable

* chore: ensure to use the correct version in release notes

* chore: use correct version in create-release

* chore: use long form of semver --coerce

* chore: add comment on version cleanup