🌱 Bump github.com/google/osv-scanner from 1.8.5 to 1.9.0

[dependabot]

Bumps github.com/google/osv-scanner from 1.8.5 to 1.9.0.

Release notes

Sourced from github.com/google/osv-scanner's releases.

v1.9.0

What's Changed

Features:

• [Feature #1243](google/osv-scanner#1243) Allow explicitly ignoring the license of a package in config with license.ignore = true.
• [Feature #1249](google/osv-scanner#1249) Error if configuration file has unknown properties.
• [Feature #1271](google/osv-scanner#1271) Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• [Bug #1242](google/osv-scanner#1242) Announce when a config file is invalid and exit with a non-zero code.
• [Bug #1241](google/osv-scanner#1241) Display (no reason given) when there is no reason in the override config.
• [Bug #1252](google/osv-scanner#1252) Don't allow LoadPath to be set via config file.
• [Bug #1279](google/osv-scanner#1279) Report all ecosystems without local databases in one single line.
• [Bug #1283](google/osv-scanner#1283) Output invalid PURLs when scanning SBOMs.
• [Bug #1278](google/osv-scanner#1278) Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Full Changelog: google/osv-scanner@v1.8.5...v1.9.0

Changelog

Sourced from github.com/google/osv-scanner's changelog.

v1.9.0

Features:

• [Feature #1243](google/osv-scanner#1243) Allow explicitly ignoring the license of a package in config with license.ignore = true.
• [Feature #1249](google/osv-scanner#1249) Error if configuration file has unknown properties.
• [Feature #1271](google/osv-scanner#1271) Assume .txt files with "requirements" in their name are requirements.txt files

Fixes:

• [Bug #1242](google/osv-scanner#1242) Announce when a config file is invalid and exit with a non-zero code.
• [Bug #1241](google/osv-scanner#1241) Display (no reason given) when there is no reason in the override config.
• [Bug #1252](google/osv-scanner#1252) Don't allow LoadPath to be set via config file.
• [Bug #1279](google/osv-scanner#1279) Report all ecosystems without local databases in one single line.
• [Bug #1283](google/osv-scanner#1283) Output invalid PURLs when scanning SBOMs.
• [Bug #1278](google/osv-scanner#1278) Apply go version override to all instances of the stdlib.

Misc:

• #1253 Deprecate ParseX() functions in pkg/lockfile in favor of their Extract equivalents.
• #1290 Bump maximum number of concurrent requests to the OSV.dev API.

Commits

• 1386406 chore(release): changelog for v1.9.0 (#1292)
• ba02cd4 chore(deps): update workflows (#1281)
• 1d67d7a chore(deps): lock file maintenance (#1282)
• c080496 fix: bump osv max concurrent requests (#1290)
• a20e520 fix: apply go version override to all instances of the stdlib (#1278)
• 3591365 fix: output invalid PURLs when scanning sboms (#1283)
• 866b3e0 fix(offline): report all ecosystems without local databases in one single lin...
• ce76735 test: update snapshot (#1284)
• 259b6d4 chore(deps): update workflows (#1264)
• 3b074f7 fix(deps): update osv-scanner minor (#1265)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[justaugustus]

@dependabot rebase

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.04%. Comparing base (353ed60) to head (7de61ed).
Report is 28 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4367      +/-   ##
==========================================
- Coverage   66.80%   60.04%   -6.77%     
==========================================
  Files         230      212      -18     
  Lines       16602    15611     -991     
==========================================
- Hits        11091     9373    -1718     
- Misses       4808     5553     +745     
+ Partials      703      685      -18     

[justaugustus]

@dependabot squash and merge

[spencerschrock]

/scdiff generate Vulnerabilities

[github-actions]

Here's a link to the scdiff run