chore(deps): update ghcr.io/google/osv-scanner docker tag to v2

This MR contains the following updates:

Package	Type	Update	Change
ghcr.io/google/osv-scanner	image-name	major	v1.9.2 -> v2.0.1

---

Release Notes

google/osv-scanner (ghcr.io/google/osv-scanner)

v2.0.1

Compare Source

Features:

• Feature #​1730 Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
• Feature #​1770 Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
• Feature #​1761 Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

• Bug #​1752 Fix paging depth issue when querying the osv.dev API.
• Bug #​1747 Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to osv-scanner-action#65).
• Bug #​1717 Fix issue where nested CycloneDX components were not being parsed.
• Bug #​1744 Fix issue where empty CycloneDX SBOMs was causing a panic.
• Bug #​1726 De-duplicate references in CycloneDX report output for improved validity.
• Bug #​1727 Remove automatic opening of HTML reports in the browser (fixes #​1721).
• Bug #​1735 Require a tag when scanning container images to prevent potential errors.

Docs:

• Docs #​1753 Correct documentation for the OSV-Scanner GitHub Action (fixes osv-scanner-action#68).
• Docs #​1743 Minor grammar fixes in documentation.

API Changes:

• API Change #​1763 Made the SourceType enum public.

v2.0.0

Compare Source

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

• Layer and base image-aware container scanning:
  • Rewritten support for Debian, Ubuntu, and Alpine container images.
  • Layer level analysis and vulnerability breakdown.
  • Supports Go, Java, Node, and Python artifacts within supported distros.
  • Base image identification via deps.dev.
  • Usage: osv-scanner scan image <image-name>:<tag>
• Interactive HTML output:
  • Severity breakdown, package/ID/importance filtering, vulnerability details.
  • Container image layer filtering, layer info, base image identification.
  • Usage: osv-scanner scan --serve ...
• Guided Remediation for Maven pom.xml:
  • Remediate direct and transitive dependencies (non-interactive mode).
  • New override remediation strategy.
  • Support for reading/writing pom.xml and parent POM files.
  • Private registry support for Maven metadata.
  • Machine-readable output for guided remediation.
• Enhanced Dependency Extraction with osv-scalibr:
  • Haskell: cabal.project.freeze, stack.yaml.lock
  • .NET: deps.json
  • Python: uv.lock
  • Artifacts: node_modules, Python wheels, Java uber jars, Go binaries
• Feature #​1636 osv-scanner update command for updating the local vulnerability database (formerly experimental).
• Feature #​1582 Add container scanning information to vertical output format.
• Feature #​1587 Add support for severity in SARIF report format.
• Feature #​1569 Add support for bun.lock lockfiles.
• Feature #​1547 Add experimental config support to the scan image command.
• Feature #​1557 Allow setting port number with --serve using the new --port flag.

Breaking Changes:

• Feature #​1670 Guided remediation now defaults to non-interactive mode; use the --interactive flag for interactive mode.
• Feature #​1670 Removed the --verbosity=verbose verbosity level.
• Feature #​1673 & Feature #​1664 All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.
• Feature #​1651 Multiple license flags have been merged into a single --license flag.
• Feature #​1666 API: reporter removed; logging now uses slog, which can be overridden.
• Feature #​1638 API: Deprecated packages removed, including lockfile (migrated to OSV-Scalibr).

Improvements:

• Feature #​1561 Updated HTML report for better contrast and usability (from beta2).
• Feature #​1584 Make skipping the root git repository the default behavior (from beta2).
• Feature #​1648 Updated HTML report styling to improve contrast (from rc1).

Fixes:

• Fix #​1598 Fix table output vulnerability ordering.
• Fix #​1616 Filter out Ubuntu unimportant vulnerabilities.
• Fix #​1585 Fixed issue where base images are occasionally duplicated.
• Fix #​1597 Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the bom.xml filename.
• Fix #​1566 Fixed issue where offline scanning returns different results from online scanning.
• Fix #​1538 Reduce memory usage when using guided remediation.

We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.

• General V2 feedback
• Container scanning feedback

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.