feat: fetch Maven metadata from specified repositories

[cuixq]

#1045

There are repositories defined in a Maven pom.xml. When looking for an artifact, these repositories are searched one by one until the artifact is found. Maven Central is the default registry to try at the last.

To support this behaviour, this PR:

• makes MavenRegistryAPIClient host a list of registries besides the default registry
• adds UpdateRegistries to DependencyClient to update the registries
• adds a new flag to specify the default maven registry for fix
• add new experimental options to scan to align with what we have for fix

TODO:

• still need to update documentation for new options/flags
• update deps.dev Maven resolver for mutil-registry resolution
• record not found requests to optimize performance

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 67.02703% with 61 lines in your changes missing coverage. Please review.

Project coverage is 68.43%. Comparing base (a5a1e29) to head (b0295ef).

Files with missing lines	Patch %	Lines
internal/manifest/maven.go	45.45%	9 Missing and 3 partials ⚠️
internal/resolution/datasource/maven_registry.go	85.07%	7 Missing and 3 partials ⚠️
internal/utility/maven/maven.go	47.05%	6 Missing and 3 partials ⚠️
...nternal/resolution/client/maven_registry_client.go	53.33%	5 Missing and 2 partials ⚠️
cmd/osv-scanner/fix/noninteractive.go	57.14%	4 Missing and 2 partials ⚠️
internal/resolution/manifest/maven.go	45.45%	4 Missing and 2 partials ⚠️
cmd/osv-scanner/scan/main.go	66.66%	2 Missing and 1 partial ⚠️
pkg/osvscanner/osvscanner.go	84.21%	2 Missing and 1 partial ⚠️
...al/resolution/clienttest/mock_resolution_client.go	33.33%	2 Missing ⚠️
cmd/osv-scanner/fix/main.go	50.00%	1 Missing ⚠️
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1286      +/-   ##
==========================================
+ Coverage   68.09%   68.43%   +0.34%     
==========================================
  Files         183      183              
  Lines       17498    17606     +108     
==========================================
+ Hits        11915    12049     +134     
+ Misses       4942     4895      -47     
- Partials      641      662      +21     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[michaelkedar]

A few initial comments

[michaelkedar]

Not sure about using []string here: npm for example would want a map for {"@scope": "url"} (if we were to implement it), and both would eventually need authentication information per url.

Could this take in a Manifest? (but we'd also need to work with lockfiles...)

[cuixq]

I think it makes sense to make this function take a slice of struct instead of a slice of string - there is also Maven specific information I want to add to this struct e.g. if it is allowed to download snapshots.

[oliverchang]

Looks mostly good with some nits/questions.

[oliverchang]

do we need to clear any existing registries? Update implies we will overwrite all existing ones?

[cuixq]

We don't want to clear the existing registries - maybe this should be renamed to AddRegistries and have another SetRegistries to clear and set the registries (though not sure if this has any use case)

[cuixq]

I mark this PR to draft - the registries should not be added when importing dependencies, but that is now done by MergeParents for all cases.

[michaelkedar]

LGTM - just a couple of small things