feat: Add configuration option to disable scanning Go version from go.mod

.github/workflows/dependencies.yml

@@ -37,7 +37,6 @@ jobs:
       - run: go test ./cmd/osv-scanner/ -run 'Test_run$' || true
         env:
           TEST_ACCEPTANCE: true
-          TEST_VCR_MODE: replaywithnewepisodes
           UPDATE_SNAPS: always
       - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:

CHANGELOG.md

@@ -1,19 +1,3 @@
-# v2.3.4
-
-### Features:
-
-- [Feature #2571](https://github.com/google/osv-scanner/pull/2571) Enable transitive scanning for Python requirements.txt files using the deps.dev API.
-
-### Fixes:
-
-- [Bug #2630](https://github.com/google/osv-scanner/pull/2630) Improve startup performance on Windows Terminal by updating lipgloss.
-- [Bug #2599](https://github.com/google/osv-scanner/pull/2599) Ensure the package deprecation enricher respects the same configuration as other plugins.
-- [Bug #2600](https://github.com/google/osv-scanner/pull/2600) Ensure the Java extractor plugin for call analysis respects the same configuration as other plugins.
-
-### Misc:
-
-- Update osv-scalibr from v0.4.2 to v0.4.5. Release notes: [v0.4.3](https://github.com/google/osv-scalibr/releases/tag/v0.4.3), [v0.4.4](https://github.com/google/osv-scalibr/releases/tag/v0.4.4), [v0.4.5](https://github.com/google/osv-scalibr/releases/tag/v0.4.5).
-
 # v2.3.3
 
 ### Features:

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -46,8 +46,8 @@ OPTIONS:
 ---
 
 [Test_run/version - 1]
-osv-scanner version: 2.3.4
-osv-scalibr version: 0.4.5
+osv-scanner version: 2.3.3
+osv-scalibr version: 0.4.4
 commit: n/a
 built at: n/a
 
@@ -61,7 +61,6 @@ built at: n/a
 Scanning dir ./testdata/locks-one-with-nested
 Scanned <rootdir>/testdata/locks-one-with-nested/nested/composer.lock file and found 1 package
 Scanned <rootdir>/testdata/locks-one-with-nested/yarn.lock file and found 1 package
-Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 No issues found
 
 ---
@@ -74,7 +73,6 @@ Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the
 [Test_run_SubCommands/with_no_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 No issues found
 
 ---
@@ -86,7 +84,6 @@ No issues found
 [Test_run_SubCommands/with_scan_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 No issues found
 
 ---

cmd/osv-scanner/mcp/__snapshots__/integration_test.snap

@@ -24,7 +24,6 @@ lockfile:<rootdir>/testdata/go-project/go.mod: found 1 package with issues
       Severity: '5.9'; Minimal Fix Version: '1.1.0';
 
   1 known vulnerability found in lockfile:<rootdir>/testdata/go-project/go.mod
-Hiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them.
 
 
 ---

cmd/osv-scanner/scan/__snapshots__/command_test.snap

@@ -3,7 +3,6 @@
 Scanning dir ./testdata/locks-one-with-nested
 Scanned <rootdir>/testdata/locks-one-with-nested/nested/composer.lock file and found 1 package
 Scanned <rootdir>/testdata/locks-one-with-nested/yarn.lock file and found 1 package
-Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 No issues found
 
 ---
@@ -38,7 +37,6 @@ OPTIONS:
 [TestCommand_SubCommands/with_no_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 No issues found
 
 ---
@@ -50,7 +48,6 @@ No issues found
 [TestCommand_SubCommands/with_scan_subcommand - 1]
 Scanning dir ./testdata/locks-many/composer.lock
 Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
-Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 No issues found
 
 ---

cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_Docker.yaml

@@ -144,39 +144,39 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2024-13176",
-                  "modified": "2026-02-08T14:01:04.651262Z"
+                  "modified": "2026-02-08T14:17:02.498117Z"
                 },
                 {
                   "id": "ALPINE-CVE-2024-9143",
-                  "modified": "2025-12-03T22:01:07.768386Z"
+                  "modified": "2025-12-03T22:57:50.413061Z"
                 }
               ]
             },
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2024-13176",
-                  "modified": "2026-02-08T14:01:04.651262Z"
+                  "modified": "2026-02-08T14:17:02.498117Z"
                 },
                 {
                   "id": "ALPINE-CVE-2024-9143",
-                  "modified": "2025-12-03T22:01:07.768386Z"
+                  "modified": "2025-12-03T22:57:50.413061Z"
                 }
               ]
             },
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2025-26519",
-                  "modified": "2025-12-11T11:01:04.579010Z"
+                  "modified": "2025-12-11T11:16:21.978419Z"
                 }
               ]
             },
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2025-26519",
-                  "modified": "2025-12-11T11:01:04.579010Z"
+                  "modified": "2025-12-11T11:16:21.978419Z"
                 }
               ]
             },

cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_ExplicitExtractors_WithDefaults.yaml

@@ -128,7 +128,7 @@ interactions:
       proto: HTTP/2.0
       proto_major: 2
       proto_minor: 0
-      content_length: 364
+      content_length: 220
       body: |
         {
           "results": [
@@ -138,7 +138,7 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2021-36159",
-                  "modified": "2025-12-03T22:01:06.565906Z"
+                  "modified": "2025-12-03T22:50:23.251262Z"
                 }
               ]
             },
@@ -157,23 +157,15 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2022-37434",
-                  "modified": "2025-12-03T22:01:07.191575Z"
-                },
-                {
-                  "id": "ALPINE-CVE-2026-22184",
-                  "modified": "2026-03-09T02:10:12.057314Z"
-                },
-                {
-                  "id": "ALPINE-CVE-2026-27171",
-                  "modified": "2026-03-09T02:09:33.041671Z"
+                  "modified": "2025-12-03T22:50:43.469206Z"
                 }
               ]
             }
           ]
         }
       headers:
         Content-Length:
-          - "364"
+          - "220"
         Content-Type:
           - application/json
       status: 200 OK
@@ -309,7 +301,7 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2021-36159",
-                  "modified": "2025-12-03T22:01:06.565906Z"
+                  "modified": "2025-12-03T22:50:23.251262Z"
                 }
               ]
             },
@@ -464,7 +456,7 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2021-36159",
-                  "modified": "2025-12-03T22:01:06.565906Z"
+                  "modified": "2025-12-03T22:50:23.251262Z"
                 }
               ]
             },
@@ -619,7 +611,7 @@ interactions:
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2021-36159",
-                  "modified": "2025-12-03T22:01:06.565906Z"
+                  "modified": "2025-12-03T22:50:23.251262Z"
                 }
               ]
             },

cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_ExplicitExtractors_WithoutDefaults.yaml

@@ -30,31 +30,23 @@ interactions:
       proto: HTTP/2.0
       proto_major: 2
       proto_minor: 0
-      content_length: 241
+      content_length: 97
       body: |
         {
           "results": [
             {
               "vulns": [
                 {
                   "id": "ALPINE-CVE-2022-37434",
-                  "modified": "2025-12-03T22:01:07.191575Z"
-                },
-                {
-                  "id": "ALPINE-CVE-2026-22184",
-                  "modified": "2026-03-09T02:10:12.057314Z"
-                },
-                {
-                  "id": "ALPINE-CVE-2026-27171",
-                  "modified": "2026-03-09T02:09:33.041671Z"
+                  "modified": "2025-12-03T22:50:43.469206Z"
                 }
               ]
             }
           ]
         }
       headers:
         Content-Length:
-          - "241"
+          - "97"
         Content-Type:
           - application/json
       status: 200 OK