build(deps): bump github.com/google/osv-scanner from 1.8.5 to 1.9.2

[dependabot]

Bumps github.com/google/osv-scanner from 1.8.5 to 1.9.2.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.9.2

Changelog

Fixes:

• [Bug #1327](google/osv-scanner#1327) Parsing crash on malformed pnpm lockfile.
• [Bug #1377](google/osv-scanner#1377) Warn if a vulnerability is ignored multiple times in the same config.
• [Bug #1394](google/osv-scanner#1394) Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
• [Bug #1443](google/osv-scanner#1443) Go call analysis now works with Go version up to v1.23.4.
• [Bug #1436](google/osv-scanner#1436) Only fetch Maven snapshots and releases when enabled.
• [Bug #1456](google/osv-scanner#1456) Remove redundant calls from PreFetch.

New Contributors

• @​ivmeta made their first contribution in google/osv-scanner#1327
• @​janniclas made their first contribution in google/osv-scanner#1398

Full Changelog: google/osv-scanner@v1.9.1...v1.9.2

v1.9.1

OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.

Here's a peek at some of the exciting upcoming features:

• Standalone container image scanning support.
  • Including support for Alpine and Debian images.
• Refactored internals to use osv-scalibr library for better extraction capabilities.
• HTML output format for clearer vulnerability results.
• More control over output format and logging.
• ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes. Most breaking changes will only be in the API. More details in the upcoming alpha release.

---

This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

v1.9.1

Features:

• [Feature #1295](google/osv-scanner#1295) Support offline database in fix subcommand.
• [Feature #1342](google/osv-scanner#1342) Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
• [Feature #1045](google/osv-scanner#1045) Support private registries for Maven.
• [Feature #1226](google/osv-scanner#1226) Support vulnerabilities.ignore in package overrides.

Fixes:

• [Bug #604](google/osv-scanner#604) Use correct path separator in SARIF output when on Windows.
• [Bug #330](google/osv-scanner#330) Warn about and ignore duplicate entries in SBOMs.

... (truncated)

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.9.2

Fixes:

• [Bug #1327](google/osv-scanner#1327) Parsing crash on malformed pnpm lockfile.
• [Bug #1377](google/osv-scanner#1377) Warn if a vulnerability is ignored multiple times in the same config.
• [Bug #1394](google/osv-scanner#1394) Guided remediation: handle extraneous/missing packages in package-lock.json more leniently.
• [Bug #1443](google/osv-scanner#1443) Go call analysis now works with Go version up to v1.23.4.
• [Bug #1436](google/osv-scanner#1436) Only fetch Maven snapshots and releases when enabled.
• [Bug #1456](google/osv-scanner#1456) Remove redundant calls from PreFetch.

v1.9.1

OSV-Scanner v2 is coming soon! The next release will start with version v2.0.0-alpha1.

Here's a peek at some of the exciting upcoming features:

• Standalone container image scanning support.
  • Including support for Alpine and Debian images.
• Refactored internals to use osv-scalibr library for better extraction capabilities.
• HTML output format for clearer vulnerability results.
• More control over output format and logging.
• ...and more!

Importantly, the CLI interface of osv-scanner will be maintained with minimal breaking changes. Most breaking changes will only be in the API. More details in the upcoming alpha release.

---

This is the final feature v1 release of osv-scanner, future releases for v1 will only contain bug fixes.

Features:

• [Feature #1295](google/osv-scanner#1295) Support offline database in fix subcommand.
• [Feature #1342](google/osv-scanner#1342) Add --experimental-offline-vulnerabilities and --experimental-no-resolve flags.
• [Feature #1045](google/osv-scanner#1045) Support private registries for Maven.
• [Feature #1226](google/osv-scanner#1226) Support support vulnerabilities.ignore in package overrides.

Fixes:

• [Bug #604](google/osv-scanner#604) Use correct path separator in SARIF output when on Windows.
• [Bug #330](google/osv-scanner#330) Warn about and ignore duplicate entries in SBOMs.
• [Bug #1325](google/osv-scanner#1325) Set CharsetReader and Entity when reading pom.xml.
• [Bug #1310](google/osv-scanner#1310) Update spdx license ids.
• [Bug #1288](google/osv-scanner#1288) Sort sbom packages by PURL.
• [Bug #1285](google/osv-scanner#1285) Improve handling if docker exits with a non-zero code when trying to scan images

API Changes:

• Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages

... (truncated)

Commits

• 1e295ee chore: v1.9.2 Changelog (#1455)
• 5e6828a chore: cherry-pick fixes to v1 (#1459)
• 474edfd chore: Update test dockerfile node hash
• 15d1aea chore(deps): update alpine docker tag to v3.21 (#1431)
• 152731f test(maven): remove the test of transitive scanning on native data source (#1...
• 722ff76 chore: update golangci-lint to version 1.62.2 (#1426)
• 5ae7169 test: update snapshots (#1421)
• 4906e9d ci: add versions fixture generator for Red Hat (#1356)
• 4ba4a92 docs: clarify commit message requirements in contribution.md (#1416)
• 9e98057 chore(deps): lock file maintenance (#1415)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)