build(deps): bump github.com/anchore/syft from 0.85.0 to 0.87.0

[dependabot]

Bumps github.com/anchore/syft from 0.85.0 to 0.87.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v0.87.0

v0.87.0 (2023-08-14)

Full Changelog

Added Features

• feat: use originator logic to fill supplier [[PR #1980](https://redirect.github.com/feat: use originator logic to fill supplier anchore/syft#1980)] [spiffcs]
• Expand deb cataloger to include opkg [[PR #1985](https://redirect.github.com/Expand deb cataloger to include opkg anchore/syft#1985)] [johnDeSilencio]
• Package duplicated by different cataloger [[Issue #931](https://redirect.github.com/Package duplicated by different cataloger anchore/syft#931)] [[PR #1948](https://redirect.github.com/931: binary cataloger exclusion defaults anchore/syft#1948)] [spiffcs]
• Add binary cataloger for Nginx built from source [[Issue #1945](https://redirect.github.com/Add binary cataloger for Nginx built from source anchore/syft#1945)] [[PR #1988](https://redirect.github.com/Create nginx binary classifier anchore/syft#1988)] [SemProvoost]

Bug Fixes

• chore: update bubbly to fix hanging [[PR #1990](https://redirect.github.com/chore: update bubbly to fix hanging anchore/syft#1990)] [kzantow]
• fix: update glob to use newer usr/lib/sysimage path [[PR #1997](https://redirect.github.com/fix: update glob to use newer usr/lib/sysimage path anchore/syft#1997)] [spiffcs]
• fix: SPDX license values and download location [[PR #2007](https://redirect.github.com/fix: SPDX license values and download location anchore/syft#2007)] [kzantow]
• Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [[Issue #1957](https://redirect.github.com/Different CPEs between java-cataloger and java-gradle-lockfile-cataloger anchore/syft#1957)] [[PR #1995](https://redirect.github.com/fix: gradle lockfile parser groupId handling anchore/syft#1995)] [kzantow]

v0.86.1

Changelog

v0.86.1 (2023-07-31)

Full Changelog

Bug Fixes

• Source requires default image name as user input for unparsable reference [[PR #1979](https://redirect.github.com/fix: default image source name to user input anchore/syft#1979)] [kzantow]

v0.86.0

Changelog

v0.86.0 (2023-07-31)

Full Changelog

Added Features

• Introduce indexed embedded CPE dictionary [[PR #1897](https://redirect.github.com/Introduce indexed embedded CPE dictionary anchore/syft#1897)] [luhring]
• Add cataloger for Swift Package Manager. [[PR #1919](https://redirect.github.com/Add cataloger for Swift Package Manager. anchore/syft#1919)] [trilleplay]
• Guess unpinned versions in python requirements.txt [[PR #1597](https://redirect.github.com/feat: make python requirements.txt parser more inclusive anchore/syft#1597)] [[PR #1966](https://redirect.github.com/Guess unpinned versions in python requirements.txt anchore/syft#1966)] [manifestori] [wagoodman]
• Create a package record for the artifact an SBOM described when creating a SPDX SBOM [[Issue #1661](https://redirect.github.com/Create a package record for the artifact an SBOM described when creating a SPDX SBOM anchore/syft#1661)] [[Issue #1241](https://redirect.github.com/SPDX element/relationships should be defined for the container image being described anchore/syft#1241)] [[PR #1934](https://redirect.github.com/feat: support top-level SPDX package and graph anchore/syft#1934)] [kzantow]

Bug Fixes

... (truncated)

Commits

• b3d7ba5 fix: read direct package files when decoding SPDX tag-value (#2014)
• c7fe586 chore(deps): update bootstrap tools to latest versions (#2022)
• 28b06da chore(deps): update CPE dictionary index (#2025)
• a90cff1 chore(deps): update bootstrap tools to latest versions (#2012)
• 82eafea chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0 (#2008)
• 541c8d3 1948-filter-pkg-by-type (#2011)
• 6bf6f85 chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0 (#2009)
• c7272fd fix: SPDX license values and download location (#2007)
• 466da7c 931: binary cataloger exclusion defaults for ownership by overlap (#1948)
• 2fc6509 chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0 (#2004)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jedevc]

Updating to a commit on master, so we can still use anchore/syft#2028. Conveniently, this is the only commit to master since v0.87.0.

[dependabot]

A newer version of github.com/anchore/syft exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[jedevc]

PTAL @cdupuis