Bump Syft from 0.60.3 to 0.66.1

go.mod

@@ -5,18 +5,18 @@ go 1.16
 require (
 	github.com/BurntSushi/toml v1.2.1
 	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
-	github.com/anchore/stereoscope v0.0.0-20221006201143-d24c9d626b33
-	github.com/anchore/syft v0.60.3
+	github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501
+	github.com/anchore/syft v0.66.1
+	github.com/apex/log v1.1.4
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
 	github.com/gabriel-vasile/mimetype v1.4.1
-	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/onsi/gomega v1.24.2
 	github.com/pelletier/go-toml v1.9.5
 	github.com/sclevine/spec v1.4.0
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
+	github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342
 	github.com/sergi/go-diff v1.3.1
 	github.com/stretchr/testify v1.8.1
 	github.com/ulikunitz/xz v0.5.11

sbom/formatted_reader_test.go

@@ -119,8 +119,8 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 
 			// Ensures pretty printing
 			Expect(buffer.String()).To(ContainSubstring(`{
- "SPDXID": "SPDXRef-DOCUMENT",
- "creationInfo": {`))
+ "Reviews": null,
+ "SPDXID": "SPDXRef-DOCUMENT"`))
 
 			var spdxOutput spdxOutput
 
@@ -137,7 +137,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 			Expect(spdxOutput.Packages[5].Name).To(Equal("wrappy"), buffer.String())
 
 			// Ensure documentNamespace and creationInfo.created have reproducible values
-			Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-5eb1cfc4-105b-5002-b80e-04a3f4cef71b"), buffer.String())
+			Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-d359f27c-86a7-5551-b971-9c7afd003959"), buffer.String())
 			Expect(spdxOutput.CreationInfo.Created).To(BeZero(), buffer.String())
 
 			rerunBuffer := bytes.NewBuffer(nil)
@@ -186,7 +186,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 					Expect(spdxOutput.Packages[5].Name).To(Equal("wrappy"), buffer.String())
 
 					// Ensure documentNamespace and creationInfo.created have reproducible values
-					Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-e4c3c453-ddc9-5920-995f-5a1a8472b6e8"), buffer.String())
+					Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-c6ae45ee-2cee-584a-b637-9de3c8486856"), buffer.String())
 					Expect(spdxOutput.CreationInfo.Created).To(Equal(time.Unix(1659551872, 0).UTC()), buffer.String())
 
 					rerunBuffer := bytes.NewBuffer(nil)
@@ -272,7 +272,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 		Expect(rerunBuffer.String()).To(Equal(buffer.String()))
 	})
 
-	it("writes the SBOM in the latest Syft format (3.*)", func() {
+	it("writes the SBOM in the latest Syft format (6.*)", func() {
 		buffer := bytes.NewBuffer(nil)
 		_, err := io.Copy(buffer, sbom.NewFormattedReader(bom, sbom.Format(syft.JSONFormatID)))
 		Expect(err).NotTo(HaveOccurred())
@@ -282,7 +282,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 		err = json.Unmarshal(buffer.Bytes(), &syftOutput)
 		Expect(err).NotTo(HaveOccurred(), buffer.String())
 
-		Expect(syftOutput.Schema.Version).To(MatchRegexp(`3\.\d+\.\d+`), buffer.String())
+		Expect(syftOutput.Schema.Version).To(MatchRegexp(`6\.\d+\.\d+`), buffer.String())
 
 		Expect(syftOutput.Source.Type).To(Equal("directory"), buffer.String())
 		Expect(syftOutput.Source.Target).To(Equal("testdata/"), buffer.String())

sbom/init_test.go

@@ -8,7 +8,7 @@ import (
 	"github.com/sclevine/spec/report"
 )
 
-func TestSBOM(t *testing.T) {
+func TestUnitSBOM(t *testing.T) {
 	format.MaxLength = 0
 
 	suite := spec.New("sbom", spec.Report(report.Terminal{}))

sbom/internal/formats/cyclonedx13/cyclonedx/README.md

@@ -8,3 +8,5 @@ which [supports CycloneDX Spec version
 Only the portions of the package that are strictly necessary for SBOM encoding
 have been included here.
 
+
+This is required because the upstream code base does not support versioned specs.

sbom/internal/formats/cyclonedx13/cyclonedxhelpers/README.md

@@ -4,6 +4,9 @@ internal `cyclonedxhelpers` package. The version copied is from an [old
 commit](https://github.com/anchore/syft/blob/a86dd3704efdb19aea22774eb7e099d4e85d41e4/internal/formats/common/cyclonedxhelpers)
 of Syft that supports CycloneDX JSON Schema 1.3.
 
+Any helpers here remain because they contain 1.3-specific logic, so we cannot
+use upstream code.
+
 The implementation of `decoder` has been omitted for
 simplicity, since it is not required for buildpacks' SBOM generation.
 

sbom/internal/formats/cyclonedx13/cyclonedxhelpers/author.go

@@ -7,6 +7,8 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )
 
+// We must copy this helper in because it's not exported from
+// syft/formats/common/cyclonedxhelpers
 func encodeAuthor(p pkg.Package) string {
 	if hasMetadata(p) {
 		switch metadata := p.Metadata.(type) {

sbom/internal/formats/cyclonedx13/cyclonedxhelpers/component.go

@@ -6,6 +6,8 @@ import (
 )
 
 // Relies on cycloneDX published structs
+// We must copy this helper in because it's not exported from
+// syft/formats/common/cyclonedxhelpers
 func encodeComponent(p pkg.Package) cyclonedx.Component {
 	props := encodeProperties(p, "syft:package")
 	props = append(props, encodeCPEs(p)...)