We have observed that some third party vendor softwares are using .zap packaging type for Java packages. Syft can’t parse or read package information from .zap type.
Example,
https://github.com/zaproxy/zaproxy/releases/download/v2.17.0/ZAP_2.17.0_Linux.tar.gz
Extract tar.gz and .zap files are available at location “ZAP_2.17.0/plugin/”.
I have extracted zap file and contents are almost similar to jar file. Have you encountered any kind of these packing types other than .jar, .war,
Is there any plan to support these new packaging types?