chore: update OSV-Scanner to v2.0.2 (#397)

Also add a Makefile to allow vulnerability scans of dependencies to be
run locally more easily.

- `make scan` to scan all components.
- `make component=core scan` to scan only the core component.
- `make clean` to remove Gradle lockfiles used for scans.

Author: bestbeforetoday

.editorconfig

@@ -22,3 +22,6 @@ indent_size = 2
 
 [.gitmodules]
 indent_style = tab
+
+[Makefile]
+indent_style = tab

.github/workflows/pr.yml

@@ -52,10 +52,8 @@ jobs:
           distribution: 'temurin'
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
-      - name: Create Gradle lockfile
-        run: ./gradlew :${{ matrix.project }}:dependencies --write-locks
       - name: Scan
-        run: docker run --rm -v "${PWD}/${{ matrix.project }}/gradle.lockfile:/gradle.lockfile" ghcr.io/google/osv-scanner:v2.0.0 scan --lockfile /gradle.lockfile
+        run: make component=${{ matrix.project }} scan
   java:
     name: Build and Test Java
     runs-on: ubuntu-latest

Makefile

@@ -0,0 +1,20 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+OSV_SCANNER_IMAGE := ghcr.io/google/osv-scanner:v2.0.2
+
+.PHONY: scan
+scan:
+ifdef component
+	./gradlew --quiet ':$(component):dependencies' --write-locks --configuration runtimeClasspath
+	docker run --rm --volume './$(component)/gradle.lockfile:/gradle.lockfile' $(OSV_SCANNER_IMAGE) scan --lockfile /gradle.lockfile
+else
+	$(MAKE) component=core scan
+	$(MAKE) component=isthmus scan
+	$(MAKE) component=isthmus-cli scan
+endif
+
+.PHONY: clean
+clean:
+	find . -depth 2 -type f -name gradle.lockfile -delete -print