chore: migrate syft to use mholt/archives instead of anchore fork

[Rupikz]

Description

Rewritten deprecated fork github.com/anchore/archiver to github.com/mholt/archives

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)

Checklist:

• I have tested my code in common scenarios and confirmed there are no regressions

[spiffcs]

I updated this to use the same kind of SafeJoin functionality so we don't escape the tmpDir like we do in other parts of syft. If the archives library already handles this internally apologies I just couldn't find it on a quick inspection.

[spiffcs]

@wagoodman I've looked at this one and added a small protection.

The visitor now uses a path aware directory join and cannot write outside the temp directory.
Tests also added.
Can you give a second pair of 👀 on this since I added a commit and would like a second review before we 🟢.

Also, I don't know what Static Analysis is on about here. I've checked out this branch even on a different machine and it's told me the go.mod and go.sum are tidy locally ☹️. I ended up doing a manual edit to fix the go.sum, but that seems super wrong.

[spiffcs]

This one now looks good to me after a first pass review. I identified a section in the visitor where we might be able to escape and write files to paths outside the temp directory so added a fix for this. I'd like additional 👀 from someone on @anchore/tools to check my work.

one more change is needed here where we also protect against symlink attacks

[kzantow]

Overall LGTM the SafeJoin usage I think is good 👍 main things I think we should update:

• don't ever need to log.Error close problems, there's a CloseAndLogError utility to simplify a bunch of those calls anyway
• the tests don't seem to be actually testing the function we want to verify: UnzipToDir