fix(deps): update osv-scanner minor (#2263)

This PR contains the following updates:

| Package | Change | Age | Confidence | Type | Update |
|---|---|---|---|---|---|
|
[github.com/CycloneDX/cyclonedx-go](https://redirect.github.com/CycloneDX/cyclonedx-go)
| `v0.9.2` -> `v0.9.3` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fCycloneDX%2fcyclonedx-go/v0.9.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fCycloneDX%2fcyclonedx-go/v0.9.2/v0.9.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| require | patch |
|
[google.golang.org/protobuf](https://redirect.github.com/protocolbuffers/protobuf-go)
| `v1.36.9` -> `v1.36.10` |
[![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fprotobuf/v1.36.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fprotobuf/v1.36.9/v1.36.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| require | patch |
| [osv.dev/bindings/go](https://redirect.github.com/google/osv.dev) |
`3b73304` -> `c81c39e` |
[![age](https://developer.mend.io/api/mc/badges/age/go/osv.dev%2fbindings%2fgo/v0.0.0-20251003064252-c81c39e62149?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/osv.dev%2fbindings%2fgo/v0.0.0-20250929041518-3b73304a1688/v0.0.0-20251003064252-c81c39e62149?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| require | digest |

---

### Release Notes

<details>
<summary>CycloneDX/cyclonedx-go
(github.com/CycloneDX/cyclonedx-go)</summary>

###
[`v0.9.3`](https://redirect.github.com/CycloneDX/cyclonedx-go/releases/tag/v0.9.3)

[Compare
Source](https://redirect.github.com/CycloneDX/cyclonedx-go/compare/v0.9.2...v0.9.3)

#### Changelog

##### Fixes

-
[`6636ce3`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/6636ce32f8b15a5104fda6636937e91d62d647e7):
fix: `.component.data` was not a slice as per CycloneDX schema
[#&#8203;242](https://redirect.github.com/CycloneDX/cyclonedx-go/issues/242)
([@&#8203;madpah](https://redirect.github.com/madpah))
-
[`3e0f245`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/3e0f245f7b936eb38e16d0518a2a0020c0d69223):
fix: add missing properties
([@&#8203;rdghe](https://redirect.github.com/rdghe))

##### Building and Packaging

-
[`24c8c33`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/24c8c33dd36390754b63f9ab056b2bf62b1eb70f):
build(deps): bump actions/setup-go from 5.2.0 to 5.4.0
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])
-
[`5fcf097`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/5fcf097fbdcedb6832989d0a74195f0698b48de8):
build(deps): bump actions/setup-go from 5.4.0 to 5.5.0
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])
-
[`edea8ae`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/edea8aedbc8467a478ac4b11d587c9bdff68f0dd):
build(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])
-
[`f32eebc`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/f32eebc413c71327df4fd6f264aa9f22e6e8cce1):
build(deps): bump gitpod/workspace-go from `4702df2` to `8985eb7`
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])
-
[`7fdaa7f`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/7fdaa7fc2b0fe25ff5eb17d57bede84131415674):
build(deps): bump gitpod/workspace-go from `6932342` to `4702df2`
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])
-
[`d62ea3c`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/d62ea3cd450cbd3aebcbf9a50c8d12b2e4187b13):
build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])
-
[`4709461`](https://redirect.github.com/CycloneDX/cyclonedx-go/commit/4709461dea7961fbd824e433b3c68217ff856122):
build(deps): bump goreleaser/goreleaser-action from 6.1.0 to 6.3.0
([@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot])

</details>

<details>
<summary>protocolbuffers/protobuf-go
(google.golang.org/protobuf)</summary>

###
[`v1.36.10`](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.9...v1.36.10)

[Compare
Source](https://redirect.github.com/protocolbuffers/protobuf-go/compare/v1.36.9...v1.36.10)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQxLjEzMS45IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Author: renovate-bot

go.mod

@@ -8,7 +8,7 @@ require (
 	deps.dev/util/resolve v0.0.0-20250917073939-6ff3dd7d2eea
 	deps.dev/util/semver v0.0.0-20250917073939-6ff3dd7d2eea
 	github.com/BurntSushi/toml v1.5.0
-	github.com/CycloneDX/cyclonedx-go v0.9.2
+	github.com/CycloneDX/cyclonedx-go v0.9.3
 	github.com/charmbracelet/bubbles v0.21.0
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/glamour v0.10.0
@@ -34,10 +34,10 @@ require (
 	golang.org/x/term v0.35.0
 	golang.org/x/vuln v1.1.4
 	google.golang.org/grpc v1.75.1
-	google.golang.org/protobuf v1.36.9
+	google.golang.org/protobuf v1.36.10
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v3 v3.0.1
-	osv.dev/bindings/go v0.0.0-20250929041518-3b73304a1688
+	osv.dev/bindings/go v0.0.0-20251003064252-c81c39e62149
 )
 
 require (

go.sum

@@ -24,8 +24,8 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg6
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=
-github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
+github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI=
+github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -585,8 +585,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -630,8 +630,8 @@ modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-osv.dev/bindings/go v0.0.0-20250929041518-3b73304a1688 h1:ZoNfLkmA0fMDPvviJkh0cJKNkZS1+urQDurQ4p4OIjA=
-osv.dev/bindings/go v0.0.0-20250929041518-3b73304a1688/go.mod h1:Q/9axnazyiBRWDN5ruXSGRkH3wrBS5ejQCkflp/VyFg=
+osv.dev/bindings/go v0.0.0-20251003064252-c81c39e62149 h1:0LuEmpVUqDS7tOZmcyZmQny6KvfzwnFEfEGG8MXJXZQ=
+osv.dev/bindings/go v0.0.0-20251003064252-c81c39e62149/go.mod h1:PCzVrLpwZc69NCvBLJR5ZKv5nrCvwA6HbaamsgmgEZc=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
 sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=