build(deps): bump github.com/google/osv-scalibr from 0.3.4 to 0.4.2

[dependabot]

Bumps github.com/google/osv-scalibr from 0.3.4 to 0.4.2.

Release notes

Sourced from github.com/google/osv-scalibr's releases.

v0.4.2

• New secret extractor for Bitbucket and Amazon CodeCommit git basic auth URLs
• Rust reachability annotation migrated from OSV-Scanner
• New extractor for Chocolatey packages (Windows)
• Deps.dev API usage for pomxml dependency resolution

v0.4.1

• New secret detectors: AWS access token, Recaptcha secret key, pyx v1/v2 user key, Amazon CodeCatalyst, generic JWT
• Go source reachability enrichment using Govulncheck
• Support for more assignment patterns in the .gemspec extractor
• Support for BellSoft/Alpaquita OS packages
• Fixes: Correct the COS os-duplicate annotator behavior, avoid duplicate inventories when traversing multiple ScanRoots
• Include PackageVulns in output proto

v0.4.0

• Global plugin config: Plugins can now be configured through a unified flag from the CLI and proto field from the library
  • Using e.g. --plugin-config=max_file_size_bytes:10000000 --plugin-config=go_binary:{version_from_content:true}
  • Migration for all plugins to use this setup is still in progress
  • This adds a new plugin config param to the list.go plugin initializers (list.FromNames()) and is thus a breaking change for current list.go API users
• New secret scanners: MariaDB creds, MySQL mylogin.cnf creds, VAPID keys
• Guided Remediation support for Python projects managed with Pipenv
• Enricher that adds package deprecation information: -plugins=packagedeprecation/depsdev
• Annotator for DPKG package sources: -plugins=misc/dpkg-source

v0.3.6

• New extractors: K8s images, .node-version, pylock.toml, VirtualBox disk images, openEuler support in RPM extractor
• New secret detectors: 1password, Postgres pgpassfile, crates.io API token
• Package licenses now surfaced in the SPDX output
• Per-file error reporting in scan results

v0.3.5

• New extractors: docker-compose images, nvm packages,
• New secret detectors: Stripe API keys, GCP OAuth2 access tokens, GitHub tokens, Slack tokens, Azure storage account access keys
• Guided remediation: Support for pyproject.toml to relax strategy
• --extractor-override flag which forces specific extractors to run on specific file patterns

Commits

• 0461138 Bump SCALIBR version to 0.4.2 in preparation for a release.
• cf20290 Merge pull request #1650 from frkngksl:chocoExtractor
• 9d1b475 Merge branch 'main' into chocoExtractor
• 6356efe Merge pull request #1649 from google:add-git-ecosystem-8414562016607449829
• 557385a Merge pull request #1648 from cuixq:proto
• ac83946 message number
• d1e22e6 Rebase and Fix Chocolatey Extractor
• 2c2bf3a Add GIT as a special allowed ecosystem in GetValidity
• 48bb925 proto
• 4dc52f6 Update packagedeprecation enricher to return error at init
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)