Merge branch 'main' into fix-cpe-validation

* main: (343 commits)
  feat: update haproxy classifier (#3277)
  chore(deps): update tools to latest versions (#3291)
  fix: don't use builtin scanner in licensecheck (#3290)
  chore(deps): update CPE dictionary index (#3288)
  chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#3289)
  update redis classifier (#3281)
  fix: improve node classifier version matching (#3284)
  fix: update ruby classifier for -rc, -dev, etc. versions (#3285)
  chore(deps): update CPE dictionary index (#3262)
  chore(deps): bump github.com/docker/docker (#3264)
  chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#3275)
  chore(deps): update stereoscope to dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280)
  chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283)
  add awaiting response management (#3272)
  fix: correct excluded mount point comparison to file paths (#3269)
  Add JVM cataloger (#3217)
  feat: classifier for Dart lang binaries (#3265)
  Add compliance policy for empty name and version (#3257)
  chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to 2.3.2 (#3254)
  chore(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#3255)
  ...

.binny.yaml

@@ -2,7 +2,7 @@ tools:
   # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
   - name: binny
     version:
-      want: v0.7.0
+      want: v0.8.0
     method: github-release
     with:
       repo: anchore/binny
@@ -18,31 +18,31 @@ tools:
   # used to sign mac binaries at release
   - name: quill
     version:
-      want: v0.4.1
+      want: v0.4.2
     method: github-release
     with:
       repo: anchore/quill
 
   # used for linting
   - name: golangci-lint
     version:
-      want: v1.57.2
+      want: v1.61.0
     method: github-release
     with:
       repo: golangci/golangci-lint
 
   # used for showing the changelog at release
   - name: glow
     version:
-      want: v1.5.1
+      want: v2.0.0
     method: github-release
     with:
       repo: charmbracelet/glow
 
   # used for signing the checksums file at release
   - name: cosign
     version:
-      want: v2.2.3
+      want: v2.4.0
     method: github-release
     with:
       repo: sigstore/cosign
@@ -58,7 +58,7 @@ tools:
   # used to release all artifacts
   - name: goreleaser
     version:
-      want: v1.25.1
+      want: v2.3.2
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -103,15 +103,31 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.35.1
+      want: v3.39.2
     method: github-release
     with:
       repo: go-task/task
 
   # used for triggering a release
   - name: gh
     version:
-      want: v2.47.0
+      want: v2.58.0
     method: github-release
     with:
       repo: cli/cli
+
+  # used to upload test fixture cache
+  - name: oras
+    version:
+      want: v1.2.0
+    method: github-release
+    with:
+      repo: oras-project/oras
+
+  # used to upload test fixture cache
+  - name: yq
+    version:
+      want: v4.44.3
+    method: github-release
+    with:
+      repo: mikefarah/yq

.bouncer.yaml

@@ -6,6 +6,7 @@ permit:
   - MPL.*
   - ISC
   - WTFPL
+  - Unlicense
 
 ignore-packages:
   # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE

.github/ISSUE_TEMPLATE/config.yml

@@ -1,6 +1,6 @@
 contact_links:
 
-  - name: Join the Slack community 💬
-    # link to our community Slack registration page
-    url: https://anchore.com/slack
+  - name: Join our Discourse community 💬
+    # link to our community Discourse site
+    url: https://anchore.com/discourse
     about: 'Come chat with us! Ask for help, join our software development efforts, or just give us feedback!'

.github/actions/bootstrap/action.yaml

@@ -5,36 +5,35 @@ inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.21.x"
+    default: "1.22.x"
   go-dependencies:
     description: "Download go dependencies"
     required: true
     default: "true"
   cache-key-prefix:
     description: "Prefix all cache keys with this value"
     required: true
-    default: "1ac8281053"
-  compute-fingerprints:
-    description: "Compute test fixture fingerprints"
+    default: "181053ac82"
+  download-test-fixture-cache:
+    description: "Download test fixture cache from OCI and github actions"
     required: true
-    default: "true"
+    default: "false"
   bootstrap-apt-packages:
     description: "Space delimited list of tools to install via apt"
     default: "libxml2-utils"
 
-
 runs:
   using: "composite"
   steps:
     # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}
 
     - name: Restore tool cache
       id: tool-cache
-      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: ${{ github.workspace }}/.tool
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
@@ -54,8 +53,14 @@ runs:
       run: |
         DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
 
-    - name: Create all cache fingerprints
-      if: inputs.compute-fingerprints == 'true'
-      shell: bash
-      run: make fingerprints
+    - name: Restore ORAS cache from github actions
+      if: inputs.download-test-fixture-cache == 'true'
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      with:
+        path: ${{ github.workspace }}/.tmp/oras-cache
+        key: ${{ inputs.cache-key-prefix }}-oras-cache
 
+    - name: Download test fixture cache
+      if: inputs.download-test-fixture-cache == 'true'
+      shell: bash
+      run: make download-test-fixture-cache

.github/dependabot.yml

@@ -17,3 +17,11 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/boostrap"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"

.github/scripts/find_cache_paths.py

@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+from __future__ import annotations
+
+import os
+import glob
+import sys
+import json
+import hashlib
+
+
+IGNORED_PREFIXES = []
+
+
+def find_fingerprints_and_check_dirs(base_dir):
+    all_fingerprints = set(glob.glob(os.path.join(base_dir, '**', 'test*', '**', '*.fingerprint'), recursive=True))
+
+    all_fingerprints = {os.path.relpath(fp) for fp in all_fingerprints
+                        if not any(fp.startswith(prefix) for prefix in IGNORED_PREFIXES)}
+
+    if not all_fingerprints:
+        show("No .fingerprint files or cache directories found.")
+        exit(1)
+
+    missing_content = []
+    valid_paths = set()
+    fingerprint_contents = []
+
+    for fingerprint in all_fingerprints:
+        path = fingerprint.replace('.fingerprint', '')
+
+        if not os.path.exists(path):
+            missing_content.append(path)
+            continue
+
+        if not os.path.isdir(path):
+            valid_paths.add(path)
+            continue
+
+        if os.listdir(path):
+            valid_paths.add(path)
+        else:
+            missing_content.append(path)
+
+        with open(fingerprint, 'r') as f:
+            content = f.read().strip()
+            fingerprint_contents.append((fingerprint, content))
+
+    return sorted(valid_paths), missing_content, fingerprint_contents
+
+
+def parse_fingerprint_contents(fingerprint_content):
+    input_map = {}
+    for line in fingerprint_content.splitlines():
+        digest, path = line.split()
+        input_map[path] = digest
+    return input_map
+
+
+def calculate_sha256(fingerprint_contents):
+    sorted_fingerprint_contents = sorted(fingerprint_contents, key=lambda x: x[0])
+
+    concatenated_contents = ''.join(content for _, content in sorted_fingerprint_contents)
+
+    sha256_hash = hashlib.sha256(concatenated_contents.encode()).hexdigest()
+
+    return sha256_hash
+
+
+def calculate_file_sha256(file_path):
+    sha256_hash = hashlib.sha256()
+    with open(file_path, 'rb') as f:
+        for byte_block in iter(lambda: f.read(4096), b""):
+            sha256_hash.update(byte_block)
+    return sha256_hash.hexdigest()
+
+
+def show(*s: str):
+    print(*s, file=sys.stderr)
+
+
+def main(file_path: str | None):
+    base_dir = '.'
+    valid_paths, missing_content, fingerprint_contents = find_fingerprints_and_check_dirs(base_dir)
+
+    if missing_content:
+        show("The following paths are missing or have no content, but have corresponding .fingerprint files:")
+        for path in sorted(missing_content):
+            show(f"- {path}")
+        show("Please ensure these paths exist and have content if they are directories.")
+        exit(1)
+
+    sha256_hash = calculate_sha256(fingerprint_contents)
+
+    paths_with_digests = []
+    for path in sorted(valid_paths):
+        fingerprint_file = f"{path}.fingerprint"
+        try:
+            if os.path.exists(fingerprint_file):
+                file_digest = calculate_file_sha256(fingerprint_file)
+
+                # Parse the fingerprint file to get the digest/path tuples
+                with open(fingerprint_file, 'r') as f:
+                    fingerprint_content = f.read().strip()
+                    input_map = parse_fingerprint_contents(fingerprint_content)
+
+                paths_with_digests.append({
+                    "path": path,
+                    "digest": file_digest,
+                    "input": input_map
+                })
+
+        except Exception as e:
+            show(f"Error processing {fingerprint_file}: {e}")
+            raise e
+
+
+    output = {
+        "digest": sha256_hash,
+        "paths": paths_with_digests
+    }
+
+    content = json.dumps(output, indent=2, sort_keys=True)
+
+    if file_path:
+        with open(file_path, 'w') as f:
+            f.write(content)
+
+    print(content)
+
+
+if __name__ == "__main__":
+    file_path = None
+    if len(sys.argv) > 1:
+        file_path = sys.argv[1]
+    main(file_path)

.github/scripts/fingerprint_docker_fixtures.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+
+import os
+import subprocess
+import hashlib
+
+BOLD = '\033[1m'
+YELLOW = '\033[0;33m'
+RESET = '\033[0m'
+
+
+def print_message(message):
+    print(f"{YELLOW}{message}{RESET}")
+
+
+def sha256sum(filepath):
+    h = hashlib.sha256()
+    with open(filepath, 'rb') as f:
+        for chunk in iter(lambda: f.read(4096), b""):
+            h.update(chunk)
+    return h.hexdigest()
+
+
+def is_git_tracked_or_untracked(directory):
+    """Returns a sorted list of files in the directory that are tracked or not ignored by Git."""
+    result = subprocess.run(
+        ["git", "ls-files", "--cached", "--others", "--exclude-standard"],
+        cwd=directory,
+        stdout=subprocess.PIPE,
+        text=True
+    )
+    return sorted(result.stdout.strip().splitlines())
+
+
+def find_test_fixture_dirs_with_images(base_dir):
+    """Find directories that contain 'test-fixtures' and at least one 'image-*' directory."""
+    for root, dirs, files in os.walk(base_dir):
+        if 'test-fixtures' in root:
+            image_dirs = [d for d in dirs if d.startswith('image-')]
+            if image_dirs:
+                yield os.path.realpath(root)
+
+
+def generate_fingerprints():
+    print_message("creating fingerprint files for docker fixtures...")
+
+    for test_fixture_dir in find_test_fixture_dirs_with_images('.'):
+        cache_fingerprint_path = os.path.join(test_fixture_dir, 'cache.fingerprint')
+
+        with open(cache_fingerprint_path, 'w') as fingerprint_file:
+            for image_dir in find_image_dirs(test_fixture_dir):
+                for file in is_git_tracked_or_untracked(image_dir):
+                    file_path = os.path.join(image_dir, file)
+                    checksum = sha256sum(file_path)
+                    path_from_fixture_dir = os.path.relpath(file_path, test_fixture_dir)
+                    fingerprint_file.write(f"{checksum}  {path_from_fixture_dir}\n")
+
+
+def find_image_dirs(test_fixture_dir):
+    """Find all 'image-*' directories inside a given test-fixture directory."""
+    result = []
+    for root, dirs, files in os.walk(test_fixture_dir):
+        for dir_name in dirs:
+            if dir_name.startswith('image-'):
+                result.append(os.path.join(root, dir_name))
+    return sorted(result)
+
+
+if __name__ == "__main__":
+    generate_fingerprints()