fix: update grype to v0.91.0 to resolve nil pointer panic

[kylos101]

Description

Updates grype from v0.90.0 to v0.91.0 to fix a nil pointer dereference panic during vulnerability database hydration.

Problem

Grype v0.90.0 contains a bug where the Hydrater() function attempts to close a database store without checking if it's nil. When database initialization fails, this causes a segmentation fault.

Solution

Upgrade to grype v0.91.0, which includes the fix from anchore/grype#2546.

Changes

• Update github.com/anchore/grype from v0.90.0 to v0.91.0
• Update transitive dependencies via go mod tidy

[kylos101]

Changes in 394e89a were to fix golang ci lint errors.

[kylos101]

I didn't bump to the latest version of grype. This is because that results in a conflict with runc, which we'd need to also update, but is a bigger change than I'd like to take on in this PR.

Background:

Grype v0.104.3 requires [email protected], which is incompatible with [email protected].

Summary of the Build Error
Bumping grype to v0.104.3 causes a dependency conflict:

grype v0.104.3 → requires [email protected]
runc v1.2.3 → requires [email protected] and uses the old API
Go's module system resolves to [email protected] (the newer version)
runc v1.2.3 code breaks because MkdirAllHandle was removed from the root package in v0.6.x
The error:

/go/pkg/mod/github.com/opencontainers/[email protected]/libcontainer/utils/utils_unix.go:337:20:
undefined: securejoin.MkdirAllHandle
Why it happens:

In [email protected]: MkdirAllHandle is in the root package
In [email protected]: MkdirAllHandle was moved to pathrs-lite subpackage and removed from root
To fix this, you would need:

Either downgrade grype (what we did with v0.91.0)
Or update runc to a version compatible with filepath-securejoin v0.6.x
Or wait for grype to update its dependencies to resolve this conflict
This is why v0.91.0 is the safe choice - it doesn't require Go version bumps and avoids this dependency conflict.

[leodido]

SGTM (unblock)