fix: archiver has been archived - replace with archives fork

[KimNorgaard]

grype/go.mod

Line 44 in 37245b0

github.com/mholt/archiver/v3 v3.5.1

grype/go.mod

Line 271 in 37245b0

replace github.com/mholt/archiver/v3 v3.5.1 => github.com/anchore/archiver/v3 v3.5.2

The fork fixes security issues with the lates(last) version of archiver. The author has since rewritten the module (see https://github.com/mholt/archives) and may have fixed those issues upstream.

I am getting dependabot alerts on archiver through grype/syft and there is nothing I can do about them since the project has been archived.

[spiffcs]

Thanks @KimNorgaard - I'm so sorry that you're getting dependabot alerts on archiver from grype/syft.

There are a couple reasons we should be removing this replace line and we just have not gotten around to removing it. Again, apologies for the spurious errors and extra toil you're getting from relying on our libraries.

I'm going to first solidify our fork, update the go mod, and remove this replace with a tagged release of our fork.

That should immediately resolve the security issue.

Step two we will be checking the new upstream and see if it has all the functionality we need to migrate to. We have some people relying on our fork so we're going to want to handle that carefully.

[KimNorgaard]

Thank you for the quick response. I completely understand your need to ensure backwards compatibility. I just wanted to give you a heads up and I'm happy you are looking into it.

[spiffcs]

We just merged two PRs to syft and grype that should close this issue against main

We'll do another release soon which will have a tagged version of these fixes.