Bump github.com/google/osv-scanner from 1.7.2 to 1.8.1

[dependabot[bot]]

Bumps github.com/google/osv-scanner from 1.7.2 to 1.8.1.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.8.1

v1.8.0/v1.8.1:

Features:

• [Feature #35](google/osv-scanner#35) OSV-Scanner now scans transitive dependencies in Maven pom.xml files! See our documentation for more information.
• [Feature #944](google/osv-scanner#944) The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"
  

Minor Updates

• [Feature #1039](google/osv-scanner#1039) The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• [Bug #1000](google/osv-scanner#1000) Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

New Contributors

• @​np5 made their first contribution in google/osv-scanner#1029

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.4...v1.8.1

v1.7.4:

Features:

• [Feature #943](google/osv-scanner#943) Support scanning gradle/verification-metadata.xml files.

Misc:

• [Bug #968](google/osv-scanner#968) Hide unimportant Debian vulnerabilities to reduce noise.

... (truncated)

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.8.0/v1.8.1:

Features:

• [Feature #35](google/osv-scanner#35) OSV-Scanner now scans transitive dependencies in Maven pom.xml files! See our documentation for more information.
• [Feature #944](google/osv-scanner#944) The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"
  

Minor Updates

• [Feature #1039](google/osv-scanner#1039) The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• [Bug #1000](google/osv-scanner#1000) Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

v1.7.4:

Features:

• [Feature #943](google/osv-scanner#943) Support scanning gradle/verification-metadata.xml files.

Misc:

• [Bug #968](google/osv-scanner#968) Hide unimportant Debian vulnerabilities to reduce noise.

v1.7.3:

Features:

• [Feature #934](google/osv-scanner#934) add support for PNPM v9 lockfiles.

... (truncated)

Commits

• 46aee59 Make 1.8.1 release (#1056)
• 1bd8400 feat: bump goreleaser to v2 (#1054)
• 0bb73a6 Update goreleaser.yml (#1052)
• 2d1181a v1.8.0 Changelog (#1050)
• 62fedd4 Add documentation for the configuration. (#1051)
• b47f43b Update documentation for transitive dependency scanning (#1040)
• 27db6bf Invoke MavenResolverExtrator when scanning pom.xml (#1028)
• d55ad07 fix(deps): update osv-scanner minor (#1044)
• 188a296 chore(deps): update workflows (#1043)
• cc3fe33 chore(deps): update golang docker tag to v1.22.4 (#896)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[academo]

@briangann you want to take a look at this?

[dependabot[bot]]

Superseded by #233.