:seedling: Bump github.com/google/osv-scanner from 1.8.5 to 1.9.0

[dependabot[bot]]

Bumps github.com/google/osv-scanner from 1.8.5 to 1.9.0.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.9.0

What's Changed

Features:

• [Feature #1243](google/osv-scanner#1243) Allow explicitly ignoring the license of a package in config with license.ignore = true.
• [Feature #1249](google/osv-scanner#1249) Error if configuration file has unknown properties.
• [Feature #1271](google/osv-scanner#1271) Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• [Bug #1242](google/osv-scanner#1242) Announce when a config file is invalid and exit with a non-zero code.
• [Bug #1241](google/osv-scanner#1241) Display (no reason given) when there is no reason in the override config.
• [Bug #1252](google/osv-scanner#1252) Don't allow LoadPath to be set via config file.
• [Bug #1279](google/osv-scanner#1279) Report all ecosystems without local databases in one single line.
• [Bug #1283](google/osv-scanner#1283) Output invalid PURLs when scanning SBOMs.
• [Bug #1278](google/osv-scanner#1278) Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Full Changelog: https://github.com/google/osv-scanner/compare/v1.8.5...v1.9.0

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.9.0

Features:

• [Feature #1243](google/osv-scanner#1243) Allow explicitly ignoring the license of a package in config with license.ignore = true.
• [Feature #1249](google/osv-scanner#1249) Error if configuration file has unknown properties.
• [Feature #1271](google/osv-scanner#1271) Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• [Bug #1242](google/osv-scanner#1242) Announce when a config file is invalid and exit with a non-zero code.
• [Bug #1241](google/osv-scanner#1241) Display (no reason given) when there is no reason in the override config.
• [Bug #1252](google/osv-scanner#1252) Don't allow LoadPath to be set via config file.
• [Bug #1279](google/osv-scanner#1279) Report all ecosystems without local databases in one single line.
• [Bug #1283](google/osv-scanner#1283) Output invalid PURLs when scanning SBOMs.
• [Bug #1278](google/osv-scanner#1278) Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Commits

• 1386406 chore(release): changelog for v1.9.0 (#1292)
• ba02cd4 chore(deps): update workflows (#1281)
• 1d67d7a chore(deps): lock file maintenance (#1282)
• c080496 fix: bump osv max concurrent requests (#1290)
• a20e520 fix: apply go version override to all instances of the stdlib (#1278)
• 3591365 fix: output invalid PURLs when scanning sboms (#1283)
• 866b3e0 fix(offline): report all ecosystems without local databases in one single lin...
• ce76735 test: update snapshot (#1284)
• 259b6d4 chore(deps): update workflows (#1264)
• 3b074f7 fix(deps): update osv-scanner minor (#1265)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 60.04%. Comparing base (353ed60) to head (7de61ed). Report is 28 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #4367 +/- ## ========================================== - Coverage 66.80% 60.04% -6.77% ========================================== Files 230 212 -18 Lines 16602 15611 -991 ========================================== - Hits 11091 9373 -1718 - Misses 4808 5553 +745 + Partials 703 685 -18 ```

[justaugustus]

@dependabot squash and merge

[spencerschrock]

/scdiff generate Vulnerabilities

[github-actions[bot]]

Here's a link to the scdiff run