chore: migrate syft to use anchore fork of archiver without replace

[spiffcs]

Description

This PR Addresses a security fix for syft/grype.

Syft and grype were never vulnerable to GHSA-rhh4-rh7c-7r5v given the steps taken to fork, fix, and use a replace directive for the upstream repository. This PR moves syft to officially use the fork without a replace directive. This will help reduce false positives in upstream security tools (including grype).

Given the the upstream repository has been archived without a fix we've moved to using our fork officially without the replace directive until another solution can be found.

Some fixtures in the Golang cataloger also used this repository and needed to be updated which is why the diff is marginally larger than expected for this change. Rather than change by hand I ran the go toolchain commands against these packages causing other updates which are reflected in the tests.

• Addresses #grype-2304

Type of change

• Bug fix (non-breaking change which fixes an issue)

[kzantow]

Does this need to change? I frequently seem to have odd stuff happen when the toolchain directive is present. I think the directive doesn't get used if specifying the patch version -- e.g. could this be go 1.23.2? or just stay at go 1.22.9? it looks like we are installing 1.22.x in the workflows, still, so probably either update everything to 1.23 or stay on 1.22?

[spiffcs]

I didn't change it on purpose. It's being added here by the tooling. I think we should allow syft/grype to naturally move forward with go versions as they come out. 1.23 was released in August so it's probably time for us to roll forward with the language.

[spiffcs]

I've removed the toolchain directive and just migrated us forward to 1.23.2 in this and the workflow files

[kzantow]

👍