test(output): make paths absolute

[G-Rath]

We expect the source information given to output to always be an absolute path, but our internal fixtures are currently using relative paths, so this changes that.

Note that this is about making the existing snapshots accurate to our current output even if that isn't something we like - if anyone feels something should be changed as a result of this, please file an issue

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.07%. Comparing base (6e5607b) to head (10df4ac).
⚠️ Report is 464 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2034      +/-   ##
==========================================
- Coverage   66.09%   66.07%   -0.02%     
==========================================
  Files         172      172              
  Lines       16214    16214              
==========================================
- Hits        10716    10713       -3     
- Misses       4848     4850       +2     
- Partials      650      651       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[G-Rath]

@another-rex so I think I've got this sorted for the output package, but it looks like container scanning does pass through relative paths:

This seems to be by design e.g. for lib/apk/db/installed, that is the exact path being checked for by the os/apk extractor, which makes sense as the Path property is meant to be relative to the Root - so if we're saying output should always be given absolute paths, we might need to have the container path sort that out...

That shouldn't be a blocker for this though so I can create an issue and we can go from there - there's also the question on if we want to include any runtime or test-only checks to help catch this in future

(since I'm about to remove the check, here's a link to the run: https://github.com/google/osv-scanner/actions/runs/16154653469/job/45594387172?pr=2034)

[another-rex]

It should be a simple fix, as all container scanning should be relative to root, we just need to add a loop in ScanContainer to add / to all Locations that pop out of ScanContainer.

[another-rex]

Or try setting StoreAbsolutePath to be true in the config for ScanContainer() call.

[another-rex]

Need to merge and rerun the snapshots, because of #2064