fix(deps): update osv-scanner minor (#392)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/BurntSushi/toml](https://togithub.com/BurntSushi/toml) |
require | minor | `v1.2.1` -> `v1.3.0` |
| [github.com/go-git/go-git/v5](https://togithub.com/go-git/go-git) |
require | minor | `v5.6.1` -> `v5.7.0` |
| [github.com/spdx/tools-golang](https://togithub.com/spdx/tools-golang)
| require | patch | `v0.5.0` -> `v0.5.1` |
| [github.com/urfave/cli/v2](https://togithub.com/urfave/cli) | require
| patch | `v2.25.3` -> `v2.25.5` |
| golang.org/x/exp | require | digest | `dd950f8` -> `2e198f4` |
| golang.org/x/tools | require | patch | `v0.9.1` -> `v0.9.3` |

---

### Release Notes

<details>
<summary>BurntSushi/toml</summary>

### [`v1.3.0`](https://togithub.com/BurntSushi/toml/releases/tag/v1.3.0)

[Compare
Source](https://togithub.com/BurntSushi/toml/compare/v1.2.1...v1.3.0)

New features:

-   Support upcoming TOML 1.1

While it looks like TOML 1.1 is mostly stable and I don't expect any
further major changes, there are *NO* compatibility guarantees as it is
*NOT* yet released and *anything can still change*.

To use it, set the `BURNTSUSHI_TOML_110` environment variable to any
value, which can be done either with `os.SetEnv()` or by the user
running a program.

A full list is changes is available in the [TOML ChangeLog]; the two
most notable ones are that newlines and trailing commas are now allowed
in inline tables, and Unicode in bare keys can now be used – this is now
a valid document:

        lëttërs = {
          ä = "a with diaeresis",
          è = "e with accent grave",
        }

[TOML ChangeLog]:
https://togithub.com/toml-lang/toml/blob/main/CHANGELOG.md

- Allow MarshalTOML and MarshalText to be used on the document type
itself, instead of only fields
([#&#8203;383](https://togithub.com/BurntSushi/toml/issues/383)).

Bufixes:

- `\` escapes at the end of line weren't processed correctly in
multiline strings
([#&#8203;372](https://togithub.com/BurntSushi/toml/issues/372)).

- Read over UTF-8 BOM
([#&#8203;381](https://togithub.com/BurntSushi/toml/issues/381)).

- `omitempty` struct tag did not work for pointer values
([#&#8203;371](https://togithub.com/BurntSushi/toml/issues/371)).

- Fix encoding anonymous structs on 32bit systems
([#&#8203;374](https://togithub.com/BurntSushi/toml/issues/374)).

</details>

<details>
<summary>go-git/go-git</summary>

### [`v5.7.0`](https://togithub.com/go-git/go-git/releases/tag/v5.7.0)

[Compare
Source](https://togithub.com/go-git/go-git/compare/v5.6.1...v5.7.0)

#### What's Changed

- \*: Add support for initializing SHA256 repositories by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/707](https://togithub.com/go-git/go-git/pull/707)
- git: add mirror clone option by
[@&#8203;aymanbagabas](https://togithub.com/aymanbagabas) in
[https://github.com/go-git/go-git/pull/735](https://togithub.com/go-git/go-git/pull/735)
- git: Add support to ls-remote with peeled references. Fixes
[#&#8203;749](https://togithub.com/go-git/go-git/issues/749) by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/750](https://togithub.com/go-git/go-git/pull/750)
- git: fix cloning with branch name by
[@&#8203;AriehSchneier](https://togithub.com/AriehSchneier) in
[https://github.com/go-git/go-git/pull/755](https://togithub.com/go-git/go-git/pull/755)
- git: Worktree, add check to see if file already checked in. Fixes
[#&#8203;718](https://togithub.com/go-git/go-git/issues/718) by
[@&#8203;cbbm142](https://togithub.com/cbbm142) in
[https://github.com/go-git/go-git/pull/719](https://togithub.com/go-git/go-git/pull/719)
- git: Worktree, git grep bare repositories by
[@&#8203;aymanbagabas](https://togithub.com/aymanbagabas) in
[https://github.com/go-git/go-git/pull/728](https://togithub.com/go-git/go-git/pull/728)
- git: Add Depth to SubmoduleUpdateOptions by
[@&#8203;matejrisek](https://togithub.com/matejrisek) in
[https://github.com/go-git/go-git/pull/754](https://togithub.com/go-git/go-git/pull/754)
- git: Testing, Fix tests not cleaning temp folders by
[@&#8203;AriehSchneier](https://togithub.com/AriehSchneier) in
[https://github.com/go-git/go-git/pull/769](https://togithub.com/go-git/go-git/pull/769)
- git: remote, add support for a configurable timeout. by
[@&#8203;andrewpollock](https://togithub.com/andrewpollock) in
[https://github.com/go-git/go-git/pull/753](https://togithub.com/go-git/go-git/pull/753)
- git: Allow Initial Branch to be configurable by
[@&#8203;techknowlogick](https://togithub.com/techknowlogick) in
[https://github.com/go-git/go-git/pull/764](https://togithub.com/go-git/go-git/pull/764)
- storage: filesystem/dotgit, Improve load packed-refs by
[@&#8203;fcharlie](https://togithub.com/fcharlie) in
[https://github.com/go-git/go-git/pull/743](https://togithub.com/go-git/go-git/pull/743)
- storage: filesystem, Populate index before use. Fixes
[#&#8203;148](https://togithub.com/go-git/go-git/issues/148) by
[@&#8203;AriehSchneier](https://togithub.com/AriehSchneier) in
[https://github.com/go-git/go-git/pull/722](https://togithub.com/go-git/go-git/pull/722)
- plumbing: resolve non-external delta references by
[@&#8203;ZauberNerd](https://togithub.com/ZauberNerd) in
[https://github.com/go-git/go-git/pull/485](https://togithub.com/go-git/go-git/pull/485)
- plumbing/transport: fix regression in scp-like match by
[@&#8203;jotadrilo](https://togithub.com/jotadrilo) in
[https://github.com/go-git/go-git/pull/715](https://togithub.com/go-git/go-git/pull/715)
- plumbing/transport: Add support for custom proxy settings by
[@&#8203;aryan9600](https://togithub.com/aryan9600) in
[https://github.com/go-git/go-git/pull/744](https://togithub.com/go-git/go-git/pull/744)
- \*: small fixes across the codebase by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/770](https://togithub.com/go-git/go-git/pull/770)
- \*: bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/go-git/go-git/pull/776](https://togithub.com/go-git/go-git/pull/776)
- \*: bump dependencies by [@&#8203;pjbgf](https://togithub.com/pjbgf)
in
[https://github.com/go-git/go-git/pull/748](https://togithub.com/go-git/go-git/pull/748)
- \*: bump Go version to 1.18 on go.mod by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/774](https://togithub.com/go-git/go-git/pull/774)
- \*: add Codeql workflow and bump dependencies by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/775](https://togithub.com/go-git/go-git/pull/775)
- ci: fix upstream git build for master branch by
[@&#8203;pjbgf](https://togithub.com/pjbgf) in
[https://github.com/go-git/go-git/pull/739](https://togithub.com/go-git/go-git/pull/739)

#### New Contributors

- [@&#8203;ZauberNerd](https://togithub.com/ZauberNerd) made their first
contribution in
[https://github.com/go-git/go-git/pull/485](https://togithub.com/go-git/go-git/pull/485)
- [@&#8203;jotadrilo](https://togithub.com/jotadrilo) made their first
contribution in
[https://github.com/go-git/go-git/pull/715](https://togithub.com/go-git/go-git/pull/715)
- [@&#8203;fcharlie](https://togithub.com/fcharlie) made their first
contribution in
[https://github.com/go-git/go-git/pull/743](https://togithub.com/go-git/go-git/pull/743)
- [@&#8203;AriehSchneier](https://togithub.com/AriehSchneier) made their
first contribution in
[https://github.com/go-git/go-git/pull/755](https://togithub.com/go-git/go-git/pull/755)
- [@&#8203;cbbm142](https://togithub.com/cbbm142) made their first
contribution in
[https://github.com/go-git/go-git/pull/719](https://togithub.com/go-git/go-git/pull/719)
- [@&#8203;aryan9600](https://togithub.com/aryan9600) made their first
contribution in
[https://github.com/go-git/go-git/pull/744](https://togithub.com/go-git/go-git/pull/744)
- [@&#8203;matejrisek](https://togithub.com/matejrisek) made their first
contribution in
[https://github.com/go-git/go-git/pull/754](https://togithub.com/go-git/go-git/pull/754)
- [@&#8203;andrewpollock](https://togithub.com/andrewpollock) made their
first contribution in
[https://github.com/go-git/go-git/pull/753](https://togithub.com/go-git/go-git/pull/753)
- [@&#8203;techknowlogick](https://togithub.com/techknowlogick) made
their first contribution in
[https://github.com/go-git/go-git/pull/764](https://togithub.com/go-git/go-git/pull/764)

**Full Changelog**:
go-git/go-git@v5.6.1...v5.7.0

</details>

<details>
<summary>spdx/tools-golang</summary>

###
[`v0.5.1`](https://togithub.com/spdx/tools-golang/releases/tag/v0.5.1)

[Compare
Source](https://togithub.com/spdx/tools-golang/compare/v0.5.0...v0.5.1)

#### What's Changed

- Add ability to specify JSON output options by
[@&#8203;DmitriyLewen](https://togithub.com/DmitriyLewen) in
[https://github.com/spdx/tools-golang/pull/213](https://togithub.com/spdx/tools-golang/pull/213)
- Fix some optional params: `copyrightText`, `licenseListVersion`,
`packageVerificationCode` by
[@&#8203;lumjjb](https://togithub.com/lumjjb) in
[https://github.com/spdx/tools-golang/pull/215](https://togithub.com/spdx/tools-golang/pull/215)
- Properly output and read the `filesAnalyzed` field in JSON/YAML by
[@&#8203;kzantow](https://togithub.com/kzantow) in
[https://github.com/spdx/tools-golang/pull/210](https://togithub.com/spdx/tools-golang/pull/210)
- Ensure no duplicates in relationships when shortcut fields are used.
by [@&#8203;lumjjb](https://togithub.com/lumjjb) in
[https://github.com/spdx/tools-golang/pull/218](https://togithub.com/spdx/tools-golang/pull/218)

#### New Contributors

- [@&#8203;testwill](https://togithub.com/testwill) made their first
contribution in
[https://github.com/spdx/tools-golang/pull/212](https://togithub.com/spdx/tools-golang/pull/212)
- [@&#8203;DmitriyLewen](https://togithub.com/DmitriyLewen) made their
first contribution in
[https://github.com/spdx/tools-golang/pull/213](https://togithub.com/spdx/tools-golang/pull/213)

**Full Changelog**:
spdx/tools-golang@v0.5.0...v0.5.1

</details>

<details>
<summary>urfave/cli</summary>

### [`v2.25.5`](https://togithub.com/urfave/cli/releases/tag/v2.25.5)

[Compare
Source](https://togithub.com/urfave/cli/compare/v2.25.4...v2.25.5)

#### What's Changed

- Fix:(issue\_1737) Set bool count by taking care of num of aliases by
[@&#8203;dearchap](https://togithub.com/dearchap) in
[https://github.com/urfave/cli/pull/1740](https://togithub.com/urfave/cli/pull/1740)

**Full Changelog**:
urfave/cli@v2.25.4...v2.25.5

### [`v2.25.4`](https://togithub.com/urfave/cli/releases/tag/v2.25.4)

[Compare
Source](https://togithub.com/urfave/cli/compare/v2.25.3...v2.25.4)

#### What's Changed

- Bug/fix issue 1703 by [@&#8203;jojje](https://togithub.com/jojje) in
[https://github.com/urfave/cli/pull/1728](https://togithub.com/urfave/cli/pull/1728)
- Fix:(issue\_1734) Show categories for subcommands by
[@&#8203;dearchap](https://togithub.com/dearchap) in
[https://github.com/urfave/cli/pull/1735](https://togithub.com/urfave/cli/pull/1735)
- Fix:(issue\_1610). Keep RunAsSubcommand behaviour as before by
[@&#8203;dearchap](https://togithub.com/dearchap) in
[https://github.com/urfave/cli/pull/1736](https://togithub.com/urfave/cli/pull/1736)
- Fix:(issue\_1731) Add fix for checking if aliases are set by
[@&#8203;dearchap](https://togithub.com/dearchap) in
[https://github.com/urfave/cli/pull/1732](https://togithub.com/urfave/cli/pull/1732)
- Fix func name referenced in doc comment by
[@&#8203;meatballhat](https://togithub.com/meatballhat) in
[https://github.com/urfave/cli/pull/1738](https://togithub.com/urfave/cli/pull/1738)

#### New Contributors

- [@&#8203;jojje](https://togithub.com/jojje) made their first
contribution in
[https://github.com/urfave/cli/pull/1728](https://togithub.com/urfave/cli/pull/1728)

**Full Changelog**:
urfave/cli@v2.25.3...v2.25.4

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS40OC4yIiwidXBkYXRlZEluVmVyIjoiMzUuMTAyLjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

go.mod

@@ -3,35 +3,36 @@ module github.com/google/osv-scanner
 go 1.19
 
 require (
-	github.com/BurntSushi/toml v1.2.1
+	github.com/BurntSushi/toml v1.3.0
 	github.com/CycloneDX/cyclonedx-go v0.7.1
 	github.com/go-git/go-billy/v5 v5.4.1
-	github.com/go-git/go-git/v5 v5.6.1
+	github.com/go-git/go-git/v5 v5.7.0
 	github.com/google/go-cmp v0.5.9
 	github.com/jedib0t/go-pretty/v6 v6.4.6
 	github.com/kr/pretty v0.3.1
 	github.com/package-url/packageurl-go v0.1.0
-	github.com/spdx/tools-golang v0.5.0
-	github.com/urfave/cli/v2 v2.25.3
-	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
+	github.com/spdx/tools-golang v0.5.1
+	github.com/urfave/cli/v2 v2.25.5
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/mod v0.10.0
 	golang.org/x/sync v0.2.0
 	golang.org/x/term v0.8.0
-	golang.org/x/tools v0.9.1
+	golang.org/x/tools v0.9.3
 	golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -41,11 +42,11 @@ require (
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.1.1 // indirect
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
+	golang.org/x/crypto v0.9.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/sys v0.8.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect