chore(deps): bump github.com/anchore/syft from 1.38.0 to 1.40.0

[dependabot]

Bumps github.com/anchore/syft from 1.38.0 to 1.40.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v1.40.0

Added Features

• Exclude development or test dependencies for PNPM Package type [#4430 #4487 @​rezmoss]
• Catalog istio binary (pilot-discovery, pilot-agent) [#4508 #4521 @​witchcraze]
• Catalog envoy binary [#4506 #4530 @​witchcraze]
• Catalog grafana binary [#4505 #4516 @​witchcraze]
• Add a binary classifier for valkey [#3400 #4509 @​witchcraze]

Bug Fixes

• old bitnami images without spdx files arent getting picked up correctly in the catalog [#4529 #4532 @​rezmoss]
• wrong traefik rc versions at binary detection [#3535 #4499 @​rezmoss]
• FromPOSIX() in internals\windows\path.go assumes that all Windows root paths must have a colon terminator [#4070 #4075 @​luissantosHCIT]
• binary cataloger is picking up the go version instead of the actual binary version in traefik experimental images [#4498 #4499 @​rezmoss]

(Full Changelog)

v1.39.0

Added Features

• add support for Gemfile.next.lock [#4457 @​HatiCode]
• Command output to give more information on what catalogers look for and what they can find [#4155 #4317 @​wagoodman]
• Support reading lzma compressed .go.buildinfo sections with upx [#4411 #4480 @​wagoodman]
• Specify specific snap revision to pull [#4389 #4439 @​VictorHuu]
• Cannot detect embedded deps.json metadata in single-file .NET binaries [#4344 #4375 @​rezmoss]
• ELF note cataloger does not pick up OS field, but should [#4384 #4438 @​VictorHuu]

Bug Fixes

• remove debug print statement in dependency parser [#4412 @​cgreeno]
• dotnet-deps cataloger should skip project references with type "project" when building the sbom [#4423 #4436 @​rezmoss]
• File digests not computed when using --base-path [#4410 #4478 @​wagoodman]
• Syft should not define subpaths by default in PURLs [#4394 #4395 @​rezmoss]
• go: valid purl but incorrect name [#1737 #4395 @​rezmoss]
• Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) [#4316 #4395 @​rezmoss]
• Failing to convert npm repository information correctly to SPDX [#4362 #4390 @​kendrickm]

(Full Changelog)

v1.38.2

Bug Fixes

• drop cpe from gguf [#4383 @​spiffcs]
• emit lua rockspec dependencies in metadata [#4376 @​willmurphyscode]
• Invalid SBOMs are created when GO replace directive is used [#4415 #4419 @​VictorHuu]
• Incorrect CPE for Vercel's Next js [#4443 #4450 @​willmurphyscode]
• v1.38.0 generates empty sbom for tgz sources [#4416 #4421 @​VictorHuu]
• Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file [#4401 #4408 @​willmurphyscode]

... (truncated)

Commits

• 11e8715 chore(deps): update anchore dependencies (#4535)
• cc1a7df chore: fix some comments to improve readability (#4533)
• 3a3a86e fixed #4430 exclude dev pnpm pkg (#4487)
• 6509b70 add istio classifier (#4521)
• 7f1d57d feat: detect older bitnami img packages (#4532)
• ed339e4 fix: ensure java image build failures stop the build (#4531)
• 3ea6a03 chore(deps): bump the go-minor-patch group with 3 updates (#4524)
• 81dd955 add envoy binary classifier (#4530)
• 48948dd add container support for graalvm fixture (#4528)
• 63273b1 chore(deps): bump the actions-minor-patch group across 1 directory with 2 upd...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	6569a53
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/69667c421753490008b017e3