feat: fetch Maven metadata from specified repositories

[cuixq]

#1045

There are repositories defined in a Maven pom.xml. When looking for an artifact, these repositories are searched one by one until the artifact is found. Maven Central is the default registry to try at the last.

To support this behaviour, this PR:

• makes MavenRegistryAPIClient host a list of registries besides the default registry
• adds UpdateRegistries to DependencyClient to update the registries
• adds a new flag to specify the default maven registry for fix
• add new experimental options to scan to align with what we have for fix

TODO:

• still need to update documentation for new options/flags
• update deps.dev Maven resolver for mutil-registry resolution
• record not found requests to optimize performance

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 66.48936% with 63 lines in your changes missing coverage. Please review.

Project coverage is 68.88%. Comparing base (1d94b4a) to head (9be580e).

Files with missing lines	Patch %	Lines
internal/manifest/maven.go	40.00%	11 Missing and 4 partials ⚠️
internal/resolution/datasource/maven_registry.go	85.07%	7 Missing and 3 partials ⚠️
internal/utility/maven/maven.go	47.05%	6 Missing and 3 partials ⚠️
...nternal/resolution/client/maven_registry_client.go	53.33%	5 Missing and 2 partials ⚠️
cmd/osv-scanner/fix/noninteractive.go	57.14%	4 Missing and 2 partials ⚠️
internal/resolution/manifest/maven.go	45.45%	4 Missing and 2 partials ⚠️
cmd/osv-scanner/scan/main.go	66.66%	2 Missing and 1 partial ⚠️
pkg/osvscanner/osvscanner.go	84.21%	2 Missing and 1 partial ⚠️
cmd/osv-scanner/fix/main.go	50.00%	1 Missing ⚠️
internal/resolution/client/npm_registry_client.go	0.00%	1 Missing ⚠️
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1286      +/-   ##
==========================================
+ Coverage   68.22%   68.88%   +0.65%     
==========================================
  Files         178      178              
  Lines       17235    17346     +111     
==========================================
+ Hits        11759    11948     +189     
+ Misses       4835     4728     -107     
- Partials      641      670      +29     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[michaelkedar]

A few initial comments

[michaelkedar]

Not sure about using []string here: npm for example would want a map for {"@scope": "url"} (if we were to implement it), and both would eventually need authentication information per url.

Could this take in a Manifest? (but we'd also need to work with lockfiles...)

[cuixq]

I think it makes sense to make this function take a slice of struct instead of a slice of string - there is also Maven specific information I want to add to this struct e.g. if it is allowed to download snapshots.

[oliverchang]

Looks mostly good with some nits/questions.

[oliverchang]

do we need to clear any existing registries? Update implies we will overwrite all existing ones?

[cuixq]

We don't want to clear the existing registries - maybe this should be renamed to AddRegistries and have another SetRegistries to clear and set the registries (though not sure if this has any use case)

[cuixq]

I mark this PR to draft - the registries should not be added when importing dependencies, but that is now done by MergeParents for all cases.

[michaelkedar]

LGTM - just a couple of small things

[michaelkedar]

Maybe don't write the cache file at the moment.
It gets saved as pom.xml.resolve.deps / pom.xml.resolve.maven next to the pom.xml file, and we probably don't want users accidentally committing this (large) file to their repos - especially since the file is undocumented and transitive scanning isn't marked as experimental.

[michaelkedar]

nit: maybe call this just WithoutRegistries - it could be a bit confusing since the cache ends up shared between 'copies'