osv-scanner: check should not fail for backend vulnerabilities in Grafana dependencies #453
Description
I tried running the validator in https://github.com/grafana/plugins-drone-to-gha with grafana/grafana-plugin-sdk-go@v0.250.0 and I got the following errors from osv-scanner:
::error title=plugin-validator: Error: osv-scanner detected a high severity issue::SEVERITY: HIGH in package github.com/getkin/kin-openapi, vulnerable to CVE-2025-30153 GO-2025-3533
::error title=plugin-validator: Error: osv-scanner detected high severity issues::osv-scanner detected 1 unique high severity issues for lockfile: /workspace/go.mod
::error title=plugin-validator: Error: osv-scanner detected a high severity issue::SEVERITY: HIGH in package cross-spawn, vulnerable to CVE-2024-21538
::error title=plugin-validator: Error: osv-scanner detected a critical severity issue::SEVERITY: CRITICAL in package form-data, vulnerable to CVE-2025-7783
::error title=plugin-validator: Error: osv-scanner detected a high severity issue::SEVERITY: HIGH in package playwright, vulnerable to CVE-2025-59288
::error title=plugin-validator: Error: osv-scanner detected a high severity issue::SEVERITY: HIGH in package ws, vulnerable to CVE-2024-37890
::error title=plugin-validator: Error: osv-scanner detected critical severity issues::osv-scanner detected 1 unique critical severity issues for lockfile: /workspace/package-lock.json
::error title=plugin-validator: Error: osv-scanner detected high severity issues::osv-scanner detected 3 unique high severity issues for lockfile: /workspace/package-lock.json
github.com/getkin/kin-openapi is a dependency of the SDK, not the plugin, but it's still being reported by the validator.
We should exclude Grafana dependencies from osv-scanner, similar to what we do with the JavaScript dependencies: