Try to support CGO

[G-Rath]

Making this for visibility, feel free to edit and reframe

---

When osv-scalibr started to use a CGO library due to google/osv-scalibr#1405, it broke Goreleaser. @erikvarga managed to replace the library in osv-scalibr, but has indicated it's unlikely we can avoid having CGO libraries in scalibr forever :

However, we have another PRP contribution that would like to use the library in a way that's harder to reimplement with just regexp parsing: google/osv-scalibr#1444

This issue is to track how we deal with that

[G-Rath]

Do we have any idea what the compilation problem was caused by? It would be nice to fix this instead of having to avoid dependency on a library.

In the go-tree-sitter issue linked it seems like people solved the compilation by enabling CGO on their GA, is that something we can try?

#2532 (comment)

@erikvarga I have no experience with CGO and very little with goreleaser, but my understanding so far is that the pipeline failed because we have explicitly disabled CGO, and that apparently goreleaser doesn't work with it:

osv-scanner/.goreleaser.yml

Lines 11 to 14 in b9f296c

	# goreleaser does not work with CGO, it could also complicate
	# usage by users in CI/CD systems like Terraform Cloud where
	# they are unable to install libraries.
	- CGO_ENABLED=0

[G-Rath]

https://goreleaser.com/limitations/cgo/ lists a few ways it can be done, with Goreleaser pro being the simplest apparently