Scan the submodule explicitly

This will include more precise information about the location of the
vulnerability in the output:

e.g. in https://github.com/charlesneimog/pd-server with submodules not
initialized and at cf3f15a:

```
$ go run ./cmd/osv-scanner -r ../pd-server/
Scanning dir ../pd-server/
Scanning /home/apollock/pd-server/ at commit cf3f15a841ca21b53c6de654c9981a30ae0b590c
Scanning submodule /home/apollock/pd-server/src/cpp-httplib at commit 227d2c20509f85a394133e2be6d0b0fc1fda54b2
Scanning submodule /home/apollock/pd-server/pd-lib-builder at commit 5c2e137f7a7a03f4007494954ccb3e23753e7807
Scanning submodule /home/apollock/pd-server/src/json at commit 4c6cde72e533158e044252718c013a48bcff346c
Scanning submodule /home/apollock/pd-server/src/websocketpp at commit 1b11fd301531e6df35a6107c1e8665b1e77a2d8e
╭────────────────────────────────┬──────┬───────────┬─────────────────────┬─────────────────────┬──────────────────────────────╮
│ OSV URL                        │ CVSS │ ECOSYSTEM │ PACKAGE             │ VERSION             │ SOURCE                       │
├────────────────────────────────┼──────┼───────────┼─────────────────────┴─────────────────────┼──────────────────────────────┤
│ https://osv.dev/CVE-2023-26130 │ 8.8  │ GIT       │  227d2c20509f85a394133e2be6d0b0fc1fda54b2 │ ../pd-server/src/cpp-httplib │
╰────────────────────────────────┴──────┴───────────┴───────────────────────────────────────────┴──────────────────────────────╯
exit status 1
```

pkg/osvscanner/osvscanner.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -393,7 +394,7 @@ func scanGit(r reporter.Reporter, query *osv.BatchedQuery, repoDir string) error
 
 	for _, s := range submodules {
 		r.PrintText(fmt.Sprintf("Scanning submodule %s at commit %s\n", s.Path, s.Expected.String()))
-		err = scanGitCommit(query, s.Expected.String(), repoDir)
+		err = scanGitCommit(query, s.Expected.String(), path.Join(repoDir, s.Path))
 		if err != nil {
 			return err
 		}