Security: Improve OSV Scanner configuration and usage

[m-marinucci]

Context

As identified in PR #89 review, using CMakeLists.txt as a lockfile for OSV Scanner may not yield accurate results.

Current Issue

osv-scanner --lockfile=tol-master/tol/CMakeLists.txt --format=json

Problems:

• CMakeLists.txt is not a package manager lockfile
• OSV Scanner expects specific lockfile formats
• May miss vulnerabilities or produce false results

Proposed Solution

1. Use Recursive Scanning

# Scan entire project recursively
osv-scanner --recursive tol-master/ --format=json --output=osv-results.json

# Or scan specific directories
osv-scanner --directory tol-master/tol --format=json

2. Create Proper Dependency Manifests

For C++ projects, consider:

• Using vcpkg with vcpkg.json
• Conan with conanfile.txt
• CMake's FetchContent with proper versioning

3. Enhanced Security Scanning

- name: Comprehensive Security Scan
  run: |
    # Scan for known vulnerabilities
    osv-scanner --recursive . --format=json --output=osv-scan.json
    
    # Scan git dependencies
    osv-scanner --git . --format=json --output=osv-git.json
    
    # Scan for C/C++ specific issues
    if [ -f conanfile.txt ]; then
        osv-scanner --lockfile=conanfile.txt --format=json
    fi
    
    # Combine results
    jq -s '.[0] + .[1]' osv-scan.json osv-git.json > combined-results.json

4. Alternative Scanning Approaches

• Use GitHub's dependency graph API
• Integrate with OWASP Dependency Check
• Implement CPE-based vulnerability scanning

Benefits

• More accurate vulnerability detection
• Better coverage of dependencies
• Reduced false positives
• Compliance with security best practices

Action Items

• Research best practices for C++ dependency scanning
• Evaluate different security scanning tools
• Create dependency manifest if applicable
• Document security scanning process

Related: PR #89