Bump github.com/anchore/syft from 0.35.0 to 0.40.0 in /create-stack

[dependabot[bot]]

Bumps github.com/anchore/syft from 0.35.0 to 0.40.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v0.40.0

Changelog

v0.40.0 (2022-03-02)

Full Changelog

Added Features

• Add support for multiple CPEs in CycloneDX [[Issue #818](anchore/syft#818
• Use syft property namespace in CycloneDX [[Issue #842](anchore/syft#842

Bug Fixes

• Wrong digest used for in-toto statement subject when using Docker daemon source [[Issue #855](anchore/syft#855

v0.39.3

Changelog

v0.39.3 (2022-02-26)

Full Changelog

Added Features

• Allow for CPE strings that can later be sanitized [[PR #844](anchore/syft#844 [wagoodman]
• Ability to sign or attest the generated SBOM [[Issue #510](anchore/syft#510

Bug Fixes

• Resolve symlinks when fetching file contents [[PR #782](anchore/syft#782 [wagoodman]
• Add exception for handlebars java package to generate nodejs CPE [[PR #837](anchore/syft#837 [wagoodman]
• Do not generate empty CPEs for non-compliant CPE fields [[PR #850](anchore/syft#850 [spiffcs]
• unable to catalog dpkg package=/var/lib/dpkg/status [[Issue #733](anchore/syft#733
• Deduplicate docker image manifests [[Issue #825](anchore/syft#825
• scan crash with panic: runtime error: index out of range [1] with length 1 when parsing invalid formatted requirements.txt file [[Issue #831](anchore/syft#831

v0.38.0

Changelog

v0.38.0 (2022-02-15)

Full Changelog

... (truncated)

Commits

• 1e75cb0 Update to cosign v1.5.2 (#857)
• afc0c1a 855 attest registry source only (#856)
• edac8c7 Update CycloneDX to use syft namespace and output multiple CPEs (#849)
• d2f28e0 Restore single goreleaser file (#853)
• 1d1a7de Fix goreleaser generated config path (#852)
• 24cd390 Share import mac code signing certificate steps for release (#851)
• bb3d713 cpe generation update (#850)
• c89131b Bump release timeout (#848)
• 6c306ef Enhance container image labels for ArtifactHub (#839)
• 99bb93d Resolve symlinks when fetching file contents (#782)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[ryanmoran]

@dependabot ignore this major version

[dependabot[bot]]

OK, I won't notify you about version 0.x.x again, unless you re-open this PR or update to a 0.x.x release yourself.

[ryanmoran]

We cannot bump forward the version of syft until such time as https://github.com/anchore/syft/issues/846 is resolved and allows us to control the schema version output.