feat: support fetching snapshot versions from a Maven registry

cuixq commented 3 months ago

https://github.com/google/osv-scanner/issues/1127

Maven snapshot versions cannot be requested directly. Instead, we should request version level metadata first to get the exact version value and then request the pom.xml.

This PR supports fetching snapshot versions by:

adding functions to fetch artifact-level and version-level metadata
when fetching a project, first check if it's a snapshot version, if yes, request the metadata to get the exact version value
add a test case for fetching snapshot versions

codecov-commenter commented 3 months ago

Codecov Report

Attention: Patch coverage is 58.00000% with 21 lines in your changes missing coverage. Please review.

Project coverage is 65.87%. Comparing base (ecd7cc8) to head (83fcad5).

Files	Patch %	Lines
internal/resolution/datasource/maven_registry.go	58.00%	15 Missing and 6 partials :warning:

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #1160 +/- ## ========================================== + Coverage 65.86% 65.87% +0.01% ========================================== Files 168 168 Lines 14076 14116 +40 ========================================== + Hits 9271 9299 +28 - Misses 4293 4301 +8 - Partials 512 516 +4 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

ifuatgucluer commented 2 months ago

good job

google / osv-scanner

feat: support fetching snapshot versions from a Maven registry #1160

Codecov Report