🐛 Give inconclusive Vulnerabilities score when osv-scanner panics

[spencerschrock]

What kind of change does this PR introduce?

bug fix

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

osv-scanner occasionally panics when analyzing a repository, which crashes Scorecard

While I try to report these and get them fixed upstream, it negatively impacts Scorecard in the meanwhile.

What is the new behavior (if this is a feature change)?**

• We recover from the panics so we can return an inconclusive -1 score for the Vulnerabilities check.
  • Since these runtime errors are logged, they can still be reported upstream to osv-scanner
• Updated osv-scanner for performance related reasons relating to Regexp compilation taking a long time google/osv-scanner#333, which will benefit the cron

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

The Vulnerabilities check will now give an inconclusive score if the OSV vulnerabilities client panics instead of crashing Scorecard too.

[codecov]

Codecov Report

Merging #2896 (72cfea5) into main (d31e28a) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2896      +/-   ##
==========================================
- Coverage   51.73%   51.71%   -0.02%     
==========================================
  Files         158      158              
  Lines       12109    12113       +4     
==========================================
  Hits         6264     6264              
- Misses       5480     5484       +4     
  Partials      365      365