Bump github.com/anchore/syft from 1.18.0 to 1.20.0

[dependabot]

Bumps github.com/anchore/syft from 1.18.0 to 1.20.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v1.20.0

Added Features

• Add file catalogers to selection configuration [#3505 @​wagoodman]
• Configuration for including license contents in SBOM [#3626 #3631 @​spiffcs]
• Support Bitnami embedded SBOMs [#3065 #3341 @​juan131] [#3676 @​willmurphyscode]

Bug Fixes

• Version parse caused by line breaks on different platforms [#3672 @​idhyt]
• License files which do not match an SPDX expression are erroneously handled as 'unlicensed' [#3412 #3366 @​HeyeOpenSource]
• Incorrect URL encoding of package url (purl) [#3533 #3678 @​kzantow]
• syft should not warn on known bad package.json [#3470 #3645 @​kzantow]
• Scanning a project with many DLLs is slow [#3455 #3677 @​rogueai]
• cyclone-dx presenter drops files, includes only packages [#3435 #3539 @​spiffcs]
• "syft config" output swaps comments for search-indexed-archives / search-unindexed-archives [#3624 #3630 @​spiffcs]
• dpkg license improvement for non SPDX licenses [#3090 #3366 @​HeyeOpenSource]
• RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) [#3534 #3615 @​mprpic]

Additional Changes

• update to go 1.24.x [#3660 @​westonsteimel]
• replace all shorthand tags of mapstruct -> mapstructure [#3633 @​spiffcs]

(Full Changelog)

v1.19.0

Added Features

• add license parsing from vendor dirs [#3522 @​dschmidt]
• Support cataloging NuGet packages [#373 #3484 @​Kemosabert]

Bug Fixes

• Syft generates invalid PURLs when name contains : [#3577 #3596 @​spiffcs @​jkugler]
• warn instead of error if zero package catalogers are select - user might still run file metadata cataloger, for example [#3128 #3468 @​tomersein]
• sbom report: missing licenses [#3527 #3549 @​kzantow]

Additional Changes

• bump stereoscope to v0.0.13 [#3601 @​spiffcs]

(Full Changelog)

v1.18.1

Bug Fixes

• Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#3390]

... (truncated)

Commits

• 46522bc chore: update packageurl-go (#3678)
• aeea170 fix: disable cert validation in dotnet-portable-executable-cataloger by defau...
• dd2ee2b fix: find bitnami files even when no relationships (#3676)
• edcfbe2 chore(deps): update tools to latest versions (#3652)
• aff025b chore(deps): update CPE dictionary index (#3666)
• 97a99e1 chore(deps): bump actions/cache from 4.2.0 to 4.2.1 (#3670)
• edc361c chore(deps): bump actions/cache in /.github/actions/bootstrap (#3671)
• 2317c5a chore(deps): bump github.com/docker/docker (#3673)
• 52bd4ac fix: correctly trim conanfile line breaks (#3672)
• 59b84f3 chore(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#3667)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.