feat: replace lockfile with extractors from osv-scalibr

__snapshots__/main_test.snap

@@ -847,7 +847,7 @@ testdata/locks-empty/composer.lock: found 0 packages
 ---
 
 [TestRun_ParseAsGlobal/#02 - 2]
-Error, could not parse testdata/locks-empty/Gemfile.lock: unexpected end of JSON input
+Error, could not parse testdata/locks-empty/Gemfile.lock: EOF
 Error, could not parse testdata/locks-empty/yarn.lock: invalid character '#' looking for beginning of value
 
 ---
@@ -877,7 +877,7 @@ testdata/locks-insecure/my-package-lock.json: found 1 package
 ---
 
 [TestRun_ParseAsGlobal/#03 - 2]
-Error, could not parse testdata/locks-empty/Gemfile.lock: unexpected end of JSON input
+Error, could not parse testdata/locks-empty/Gemfile.lock: EOF
 Error, could not parse testdata/locks-empty/yarn.lock: invalid character '#' looking for beginning of value
 
 ---
@@ -991,7 +991,7 @@ testdata/locks-empty/composer.lock: found 0 packages
 ---
 
 [TestRun_ParseAsSpecific/#04 - 2]
-Error, could not parse testdata/locks-empty/Gemfile.lock: unexpected end of JSON input
+Error, could not parse testdata/locks-empty/Gemfile.lock: EOF
 Error, could not parse testdata/locks-empty/yarn.lock: invalid character '#' looking for beginning of value
 
 ---
@@ -1021,7 +1021,7 @@ testdata/locks-insecure/my-package-lock.json: found 1 package
 ---
 
 [TestRun_ParseAsSpecific/#05 - 2]
-Error, could not parse testdata/locks-empty/Gemfile.lock: unexpected end of JSON input
+Error, could not parse testdata/locks-empty/Gemfile.lock: EOF
 Error, could not parse testdata/locks-empty/yarn.lock: invalid character '#' looking for beginning of value
 
 ---

go.mod

@@ -8,25 +8,65 @@ require (
 	github.com/gkampitakis/go-snaps v0.5.15
 	github.com/google/go-cmp v0.7.0
 	github.com/google/osv-scalibr v0.4.1-0.20251202121049-5e7e15f4a036
-	github.com/tidwall/jsonc v0.3.2
 	golang.org/x/mod v0.30.0
 	golang.org/x/sync v0.17.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
+	bitbucket.org/creachadair/stringset v0.0.14 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
+	github.com/anchore/go-lzo v0.1.0 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 // indirect
+	github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect
+	github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab // indirect
 	github.com/gkampitakis/ciinfo v0.3.2 // indirect
 	github.com/gkampitakis/go-diff v1.3.2 // indirect
+	github.com/go-errors/errors v1.0.2 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.2 // indirect
+	github.com/go-restruct/restruct v1.2.0-alpha // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
 	github.com/maruel/natural v1.1.1 // indirect
+	github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/ossf/osv-schema/bindings/go v0.0.0-20251029033743-5e05f9d00d92 // indirect
+	github.com/package-url/packageurl-go v0.1.3 // indirect
+	github.com/pierrec/lz4/v4 v4.1.17 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/xattr v0.4.9 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/spdx/tools-golang v0.5.5 // indirect
+	github.com/thoas/go-funk v0.9.3 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
+	github.com/tidwall/jsonc v0.3.2 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.17.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	www.velocidex.com/golang/go-ntfs v0.2.0 // indirect
 )