Add a new Maven pom.xml extractor

[cuixq]

The new Maven lockfile extractor aims to resolve the full Maven dependency graph to provide better transitive support #35. This is an experimental feature for now.

This PR uses deps.dev util package to parse Maven pom.xml, also calls deps.dev API for available versions when resolving a range requirement.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 77.50000% with 18 lines in your changes are missing coverage. Please review.

Project coverage is 64.24%. Comparing base (5eed7e8) to head (609e62d).
Report is 5 commits behind head on main.

Files	Patch %	Lines
internal/manifest/maven.go	77.50%	12 Missing and 6 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #982      +/-   ##
==========================================
+ Coverage   64.05%   64.24%   +0.18%     
==========================================
  Files         146      148       +2     
  Lines       11977    12088     +111     
==========================================
+ Hits         7672     7766      +94     
- Misses       3853     3864      +11     
- Partials      452      458       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[oliverchang]

LGTM with a question! Also, can you please update your PR title to reflect that this is a version of an extractor that's intended to resolve the full transitive graph?

Also reference #35 in your PR description.

[oliverchang]

Question: do you think we'll ever run into cases where we need to parallelise requests to minimize latency?

[cuixq]

I think this will be likely to happen - my plan is to make pkg/depsdev handle all requests (parallelised) to deps.dev.

[G-Rath]

fwiw I'm not sure that it makes sense to land this in its current form given that it's not being actually being used and violates the "offline" contract, which I don't think we can necessarily address with the current interface so landing it as-is might prematurely lock us into a public API we immediately want to change.

[oliverchang]

fwiw I'm not sure that it makes sense to land this in its current form given that it's not being actually being used and violates the "offline" contract, which I don't think we can necessarily address with the current interface so landing it as-is might prematurely lock us into a public API we immediately want to change.

That's a good point. Is there an easy way we can keep this interface private, while being able to use it ourselves?

Alternatively, we can just add some clear documentation to the relevant functions to say: this is experimental and can break.

[oliverchang]

Following up on this, the right way to do this for now is probably:

• Move this to an "resolverExtractor or something similar under internal.
• Modify

  osv-scanner/pkg/osvscanner/osvscanner.go

  Line 344 in 055ef05

  func scanLockfile(r reporter.Reporter, path string, parseAs string) ([]scannedPackage, error) {

  to prefer this internal resolverExtractor where it exists for a given lockfile? If --offline is passed, then we ignore these.

WDYT @cuixq @G-Rath ?

[cuixq]

For now, I would prefer keeping the new extractor in internal folder so we can experiment it without breaking anything.

When it's ready enough, we can think about how to enable this with the offline mode, which could be something similar to the second option.

[G-Rath]

fwiw if you want to enable experimental support for it without a lot of work, you should be able to add it as a custom parser here

[another-rex]

Thanks! mostly LGTM, added some comments/questions

[another-rex]

nit: Add an example in the function comment of what the output looks like.

[cuixq]

This is a duplicate from pkg/lockfile since I reuse the tests there...

[another-rex]

Is the dependency name always unique? e.g. could there be the same dependency at different versions (and recorded twice in the Dependencies array)

I'm guessing it's intentional that this is overwriting so that the last version is always the one resolved, can you add a comment a comment here clarifying this.

[cuixq]

I would say don't worry about this too much for now since the logic will be overwritten soon (including how managed dependencies would work).

I copied these code from the current Maven extractor is sort of PoC that deps.dev Maven parser should return the same results if we use the same logic.

[another-rex]

Comment here as well

[another-rex]

Can you clarify the difference between what it's currently doing (querying deps.dev) vs invoking the Maven resolver?

[cuixq]

For now we only return the greatest version matching the constraint based on the versions returned by deps.dev for range requirements, however, this may not be the version that is in the dependency graph.

To figure out the exact version in the dependency graph, we need help from Maven resolver.