What happened:
Our local CI pipeline pulled latest syft container and syft job failed.
We were pulling debug tag (so, latest debug) so that CI could call busybox wget to download our private Root CA file for use by syft. wget now fails.

What you expected to happen:
busybox wget succeeds downloading root CA so syft can use to verify local registry downloads.

Steps to reproduce the issue:
Running with latest debug (v1.24.0)
docker run -it --rm --entrypoint /busybox/wget anchore/syft:v1.24.0-debug --no-check-certificate --spider https://website.signed.with.untrusted.cert.example.com
Returns:

wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

However previous version debug (v1.23.1):
docker run -it --rm --entrypoint /busybox/wget anchore/syft:v1.23.1-debug --no-check-certificate --spider https://website.signed.with.untrusted.cert.example.com
returns:

remote file exists

Anything else we need to know?:
This appears to be an upstream issue in busybox. I couldn't quite find a specific issue in their tracker, but can reproduce with the upstream busybox containers and appears to be fixed in latest busybox.

Works:

• docker run -it --rm busybox:1.35 /bin/wget --no-check-certificate --spider https://mysite.example.com
• docker run -it --rm busybox:1.37 /bin/wget --no-check-certificate --spider https://mysite.example.com
  Fails:
• docker run -it --rm busybox:1.36 /bin/wget --no-check-certificate --spider https://mysite.example.com

And note the associated busybox version in the syft containers:

$ docker run -it --rm --entrypoint wget  anchore/syft:v1.24.0-debug | head -1
BusyBox v1.36.1 (2024-01-18 03:21:25 UTC) multi-call binary.
$ docker run -it --rm --entrypoint wget  anchore/syft:v1.23.1-debug | head -1
BusyBox v1.35.0 (2023-03-03 23:47:31 UTC) multi-call binary.

Environment:
Tested with syft containers:

docker run -it --rm anchore/syft:v1.23.1-debug --version
syft 1.23.1
$ docker run -it --rm anchore/syft:v1.24.0-debug --version
syft 1.24.0