chore(deps): update Syft to v0.97.1

[anchore-actions-token-generator]

Update Syft to v0.97.1

[willmurphyscode]

/update-snapshots

[willmurphyscode]

It looks like Syft's SPDX JSON has added a node for the the package itself, e.g. syft -q busybox:latest -o spdx-json | jq '.packages[1]' produces:

{
  "name": "busybox",
  "SPDXID": "SPDXRef-DocumentRoot-Image-busybox",
  "versionInfo": "sha256:650457c40132bba45967154bffe121a1f388703bd6078db74acbb02f123db572",
  "supplier": "NOASSERTION",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": false,
  "checksums": [
    {
      "algorithm": "SHA256",
      "checksumValue": "650457c40132bba45967154bffe121a1f388703bd6078db74acbb02f123db572"
    }
  ],
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE-MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:oci/busybox@sha256:650457c40132bba45967154bffe121a1f388703bd6078db74acbb02f123db572?arch=arm64&tag=latest"
    }
  ],
  "primaryPackagePurpose": "CONTAINER"
}

I'm curious whether this is stable between runs.

The last test run has the following lines:

    - PackageChecksum: SHA256: b51c3b88a7c95562982d886e727a3b5ca55c8661e2ce0796e8ecff94d83efd10
    + PackageChecksum: SHA256: 9d2dc4db7feee43df091d5acea59ba54ee28cdaef06d4102b89a4ddfda060e29
       ExternalRef: PACKAGE-MANAGER purl pkg:oci/localhost:5000/match-coverage/debian@sha256:redacted?arch=amd64&tag=latest

(link: https://github.com/anchore/sbom-action/actions/runs/6829517603/job/18575823500?pr=427#step:6:3262 )

Note that the sha256 of the image is redacted in the PURL, but not in the checksum.

I'm going to trigger another snapshot update and see whether it changes these SHAs - that would be a good indication that they're unstable and need to be redacted.

[willmurphyscode]

/update-snapshots

[willmurphyscode]

It looks like that's the problem - the commit from the last update snapshot changed all the checksums of the images: e5223e8

I think this is because the images get re-built on updating snapshots (see

sbom-action/.github/workflows/update-snapshots.yml

Line 51 in 74207bd

docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage

) and during the test run (see

sbom-action/.github/workflows/test.yml

Line 67 in 74207bd

docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage

), so they won't have the same digest necessarily.

I think there are basically 2 (edit: 3! (edit: 5!)) paths forward:

1. Update the tests with smarter redaction, so that the digest of the image isn't compared between runs. (right now the redaction is regex based, which might prove tricky if we want to redact some sha256 hashes and not others).
2. Update the test method to build and push the images only if they changed, so that the digest is stable. (This requires more work, since we'd need to auth to a repo for the push, and detect whether the images changed to determine whether to rebuild.)
3. Inspect the image and note the SHA to redact that particular SHA, both during snapshot update and during the test run. This might be a nice workaround, since it doesn't require parsing the SBOM to redact the right component, and it doesn't require rearranging how the test flow handles images.
4. Redact everything that looks like a sha256 in the snapshots; this repo is responsible for calling syft, not for making sure syft's output is correct (those tests are in syft).
5. Stop having snapshot tests in this repo; this repo is resonsible for calling syft, not for making sure syft's output is correct (those tests are in syft)

❯ docker image inspect localhost:5000/match-coverage/debian:latest | jq '.[0].Id'
"sha256:ef3441176ddbd3508b767c2119f9adc1ad04b6e37b1f191797bf277d464e3ca6"

[willmurphyscode]

It looks like the bot force pushed over the snapshot updates. Rude. We should fix the bot at some point.

[willmurphyscode]

/update-snapshots