Scan submodules too. (#581)

Using https://github.com/charlesneimog/pd-server (at cf3f15a) as the
example:

With submodules not initialized:

```
$ go run ./cmd/osv-scanner -r ../pd-server/
Scanning dir ../pd-server/
Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c
Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2
Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807
Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c
Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e
╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬──────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE                       │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼──────────────────────────────┤
│ https://osv.dev/CVE-2023-26130 │ 8.8  │ GIT       │  227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴──────────────────────────────╯
exit status 1
```

With submodules initialized:

```
$ go run ./cmd/osv-scanner -r ../pd-server/
Scanning dir ../pd-server/
Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c
Scanning submodule src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2
Scanning submodule pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807
Scanning submodule src/json at commit 4c6cde72e533158e044252718c013a48bcff346c
Scanning submodule src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e
Scanned /home/apollock/pd-server/src/json/docs/mkdocs/requirements.txt file and found 49 packages
Scanned /home/apollock/pd-server/src/json/tools/serve_header/requirements.txt file and found 2 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬────────────────────────────────────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE                                             │
├─────────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼────────────────────────────────────────────────────┤
│ https://osv.dev/CVE-2023-26130      │ 8.8  │ GIT       │  227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib                       │
│ https://osv.dev/GHSA-xqr8-7jwr-rhp7 │ 7.5  │ PyPI      │ certifi             │ 2022.12.7           │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-135      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-v3c5-jqr6-7qm8 │ 7.5  │ PyPI      │ future              │ 0.18.2              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2022-42991    │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-cwvm-v4w8-q58c │ 6.5  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-165      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-hcpj-qp55-gfph │ 8.1  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2022-42992    │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-pr76-5cm5-w9cj │ 9.8  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-137      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-wfm5-v35h-vwf4 │ 7.8  │ PyPI      │ gitpython           │ 3.1.29              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-161      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-mrwq-x4v8-fh7p │ 5.5  │ PyPI      │ pygments            │ 2.13.0              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-117      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-jh85-wwv9-24hv │ 7.5  │ PyPI      │ pymdown-extensions  │ 9.9                 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/GHSA-j8r2-6x86-q33q │ 6.1  │ PyPI      │ requests            │ 2.28.1              │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-74       │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-hj3f-6gcp-jg8j │ 6.1  │ PyPI      │ tornado             │ 6.2                 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-75       │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-qppv-j76h-2rpx │      │ PyPI      │ tornado             │ 6.2                 │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/GHSA-g4mx-q9vg-27p4 │ 4.2  │ PyPI      │ urllib3             │ 1.26.13             │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-212      │      │           │                     │                     │                                                    │
│ https://osv.dev/GHSA-v845-jxx5-vc9f │ 8.1  │ PyPI      │ urllib3             │ 1.26.13             │ ../pd-server/src/json/docs/mkdocs/requirements.txt │
│ https://osv.dev/PYSEC-2023-192      │      │           │                     │                     │                                                    │
╰─────────────────────────────────────┴──────┴───────────┴─────────────────────┴─────────────────────┴────────────────────────────────────────────────────╯
exit status 1
```

pkg/osvscanner/osvscanner.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -349,6 +350,30 @@ func getCommitSHA(repoDir string) (string, error) {
 	return head.Hash().String(), nil
 }
 
+func getSubmodules(repoDir string) (submodules []*git.SubmoduleStatus, err error) {
+	repo, err := git.PlainOpen(repoDir)
+	if err != nil {
+		return nil, err
+	}
+	worktree, err := repo.Worktree()
+	if err != nil {
+		return nil, err
+	}
+	ss, err := worktree.Submodules()
+	if err != nil {
+		return nil, err
+	}
+	for _, s := range ss {
+		status, err := s.Status()
+		if err != nil {
+			continue
+		}
+		submodules = append(submodules, status)
+	}
+
+	return submodules, nil
+}
+
 // Scan git repository. Expects repoDir to end with /
 func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error {
 	commit, err := getCommitSHA(repoDir)
@@ -357,7 +382,25 @@ func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error
 	}
 	r.PrintText(fmt.Sprintf("Scanning %s at commit %s\n", repoDir, commit))
 
-	return scanGitCommit(query, commit, repoDir)
+	err = scanGitCommit(query, commit, repoDir)
+	if err != nil {
+		return err
+	}
+
+	submodules, err := getSubmodules(repoDir)
+	if err != nil {
+		return err
+	}
+
+	for _, s := range submodules {
+		r.PrintText(fmt.Sprintf("Scanning submodule %s at commit %s\n", s.Path, s.Expected.String()))
+		err = scanGitCommit(query, s.Expected.String(), path.Join(repoDir, s.Path))
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
 
 func scanGitCommit(query *osv.BatchedQuery, commit string, source string) error {