From 875e0031861a228034e2991743b4e6908a0f4cc0 Mon Sep 17 00:00:00 2001
From: Brad Geesaman <3769609+bgeesaman@users.noreply.github.com>
Date: Wed, 27 May 2026 10:02:17 -0400
Subject: [PATCH] GHO-11706: bump bundled osv-scanner to v2.3.8 to clear CVEs

The bundled osv-scanner binary in v2.0.1 is built with go1.26.1, which
is in-range for CVE-2026-32281, -32280, -32283, and -33810 (TLS /
crypto/x509 issues). osv-scanner v2.3.6+ ships with go1.26.2, picking
up all four fixes. Bump the pin in goreleaser, the CI workflow, and the
local download script.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/test.go.yml   | 2 +-
 .goreleaser.yaml                | 2 +-
 scripts/download-osv-scanner.sh | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test.go.yml b/.github/workflows/test.go.yml
index 878ea0b..1ec8573 100644
--- a/.github/workflows/test.go.yml
+++ b/.github/workflows/test.go.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
   workflow_dispatch:
 env:
-  OSV_VERSION: 'v2.3.5'
+  OSV_VERSION: 'v2.3.8'
 jobs:
   test-x86:
     name: Go Test
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 8a245a7..06cd36f 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -3,7 +3,7 @@ version: 2
 project_name: wraith
 
 env:
-  - OSV_VERSION=v2.3.5
+  - OSV_VERSION=v2.3.8
 
 before:
   hooks:
diff --git a/scripts/download-osv-scanner.sh b/scripts/download-osv-scanner.sh
index cae0ff5..56cfdba 100755
--- a/scripts/download-osv-scanner.sh
+++ b/scripts/download-osv-scanner.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-OSV_VERSION="${OSV_VERSION:-v2.3.5}"
+OSV_VERSION="${OSV_VERSION:-v2.3.8}"
 BUILD_DIR="build/osv-scanner"
 
 echo "Downloading osv-scanner ${OSV_VERSION}..."