Bump github.com/google/osv-scanner from 1.6.1 to 1.8.0

[dependabot[bot]]

Bumps github.com/google/osv-scanner from 1.6.1 to 1.8.0.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.7.4:

Features:

• [Feature #943](google/osv-scanner#943) Support scanning gradle/verification-metadata.xml files.

Misc:

• [Bug #968](google/osv-scanner#968) Hide unimportant Debian vulnerabilities to reduce noise.

New Contributors

• @​khorben made their first contribution in google/osv-scanner#969

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.3...v1.7.4

v1.7.3:

Features:

• [Feature #934](google/osv-scanner#934) add support for PNPM v9 lockfiles.

Fixes:

• [Bug #938](google/osv-scanner#938) Ensure the sarif output has a stable order.
• [Bug #922](google/osv-scanner#922) Support filtering on alias IDs in Guided Remediation.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.7.2...v1.7.3

v1.7.2:

Fixes:

• [Bug #899](google/osv-scanner#899) Guided Remediation: Parse paths in npmrc auth fields correctly.
• [Bug #908](google/osv-scanner#908) Fix rust call analysis by explicitly disabling stripping of debug info.
• [Bug #914](google/osv-scanner#914) Fix regression for go call analysis introduced in 1.7.0.

v1.7.1:

(There was no Github release for this version)

Fixes

• [Bug #856](google/osv-scanner#856) Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.

API Features

• [Feature #781](google/osv-scanner#781) add MakeVersionRequestsWithContext()

... (truncated)

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.8.0:

Features:

• [Feature #35](google/osv-scanner#35) OSV-Scanner now scans transitive dependencies in Maven pom.xml files! See our documentation for more information.
• [Feature #944](google/osv-scanner#944) The osv-scanner.toml configuration file can now filter specific packages with new [[PackageOverrides]] sections:

  [[PackageOverrides]]
  # The package name, version, and ecosystem to match against
  name = "lib"
  # If version is not set or empty, it will match every version
  version = "1.0.0"
  ecosystem = "Go"
  # Ignore this package entirely, including license scanning
  ignore = true
  # Override the license of the package
  # This is not used if ignore = true
  license.override = ["MIT", "0BSD"]
  # effectiveUntil = 2022-11-09 # Optional exception expiry date
  reason = "abc"
  

Minor Updates

• [Feature #1039](google/osv-scanner#1039) The --experimental-local-db flag has been removed and replaced with a new flag --experimental-download-offline-databases which better reflects what the flag does.
  To replicate the behavior of the original --experimental-local-db flag, replace it with both --experimental-offline --experimental-download-offline-databases flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.

Fixes:

• [Bug #1000](google/osv-scanner#1000) Standard dependencies now correctly override dependencyManagement dependencies when scanning pom.xml files in offline mode.

v1.7.4:

Features:

• [Feature #943](google/osv-scanner#943) Support scanning gradle/verification-metadata.xml files.

Misc:

• [Bug #968](google/osv-scanner#968) Hide unimportant Debian vulnerabilities to reduce noise.

v1.7.3:

Features:

• [Feature #934](google/osv-scanner#934) add support for PNPM v9 lockfiles.

... (truncated)

Commits

• 2d1181a v1.8.0 Changelog (#1050)
• 62fedd4 Add documentation for the configuration. (#1051)
• b47f43b Update documentation for transitive dependency scanning (#1040)
• 27db6bf Invoke MavenResolverExtrator when scanning pom.xml (#1028)
• d55ad07 fix(deps): update osv-scanner minor (#1044)
• 188a296 chore(deps): update workflows (#1043)
• cc3fe33 chore(deps): update golang docker tag to v1.22.4 (#896)
• 565c692 chore(deps): lock file maintenance (#1033)
• 303048a chore(deps): update goreleaser/goreleaser-action action to v6 (#1032)
• ace9154 Add experimental-download-offline-databases flag (#1039)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Superseded by #546.