Bump github.com/google/osv-scanner from 1.7.2 to 1.8.2

[dependabot[bot]]

Bumps github.com/google/osv-scanner from 1.7.2 to 1.8.2.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.8.2

Features:

• [Feature #1014](google/osv-scanner#1014) Adding CycloneDX 1.4 and 1.5 output format. Thanks @​marcwieserdev!

Fixes:

• [Bug #769](google/osv-scanner#769) Fixed missing vulnerabilities for debian purls for --experimental-local-db.
• [Bug #1055](google/osv-scanner#1055) Ensure that package exists in affected property.
• [Bug #1072](google/osv-scanner#1072) Filter out unimportant vulnerabilities from vuln group.
• [Bug #1077](google/osv-scanner#1077) Fix rate osv-scanner deadlock.
• [Bug #924](google/osv-scanner#924) Ensure that npm dependencies retain their "production" grouping.

New Contributors

• @​neilnaveen made their first contribution in google/osv-scanner#1076
• @​marcwieserdev made their first contribution in google/osv-scanner#1014
• @​GeoDerp made their first contribution in google/osv-scanner#1073

Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.1...v1.8.2

v1.8.1

v1.8.0/v1.8.1:

Features:

• [Feature #35](google/osv-scanner#35) OSV-Scanner now scans transitive dependencies in Maven pom.xml files! See our documentation for more information.
• [Feature #944](google/osv-scanner#944) The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"
  

Minor Updates

• [Feature #1039](google/osv-scanner#1039) The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.

... (truncated)

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.8.2:

Features:

• [Feature #1014](google/osv-scanner#1014) Adding CycloneDX 1.4 and 1.5 output format. Thanks @​marcwieserdev!

Fixes:

• [Bug #769](google/osv-scanner#769) Fixed missing vulnerabilities for debian purls for --experimental-local-db.
• [Bug #1055](google/osv-scanner#1055) Ensure that package exists in affected property.
• [Bug #1072](google/osv-scanner#1072) Filter out unimportant vulnerabilities from vuln group.
• [Bug #1077](google/osv-scanner#1077) Fix rate osv-scanner deadlock.
• [Bug #924](google/osv-scanner#924) Ensure that npm dependencies retain their "production" grouping.

v1.8.0/v1.8.1:

Features:

• [Feature #35](google/osv-scanner#35) OSV-Scanner now scans transitive dependencies in Maven pom.xml files! See our documentation for more information.
• [Feature #944](google/osv-scanner#944) The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"
  

Minor Updates

• [Feature #1039](google/osv-scanner#1039) The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does. To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• [Bug #1000](google/osv-scanner#1000) Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

v1.7.4:

... (truncated)

Commits

• 1ea785e Bump go mod min version (#1109)
• b74f325 Add changelog for v1.8.2 (#1106)
• 07d648c Fix npm grouping (#1107)
• 3b7e71d Add warning to the default docker container scanning method (#1089)
• 0b3dc86 Move sbom to internal, and add standard output tests (#1104)
• 874dcdd fix: ensure that npm dependencies retain their "production" grouping (#939)
• e35bd05 test: add output fixtures for call analysis (#1093)
• 1460154 fix: restore custom styling to table format (#1094)
• fcc7afb chore(deps): lock file maintenance (#1103)
• 52b7ea6 chore(deps): update workflows (#1101)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[briangann]

looks good, tests are passing with this bump