chore: cherry-pick fixes to v1 (#1459)

This PR cherry-pick two fixes to v1:
 - #1436
 - #1456

---------

Co-authored-by: Michael Kedar <[email protected]>

Author: cuixq

cmd/osv-scanner/fix/noninteractive.go

@@ -13,6 +13,7 @@ import (
 	"github.com/google/osv-scanner/internal/remediation"
 	"github.com/google/osv-scanner/internal/resolution"
 	"github.com/google/osv-scanner/internal/resolution/client"
+	"github.com/google/osv-scanner/internal/resolution/datasource"
 	lf "github.com/google/osv-scanner/internal/resolution/lockfile"
 	"github.com/google/osv-scanner/internal/resolution/manifest"
 	"github.com/google/osv-scanner/pkg/lockfile"
@@ -304,7 +305,12 @@ func autoOverride(ctx context.Context, r reporter.Reporter, opts osvFixOptions,
 		if ok {
 			registries := make([]client.Registry, len(specific.Repositories))
 			for i, repo := range specific.Repositories {
-				registries[i] = client.Registry{URL: string(repo.URL)}
+				registries[i] = datasource.MavenRegistry{
+					URL:              string(repo.URL),
+					ID:               string(repo.ID),
+					ReleasesEnabled:  repo.Releases.Enabled.Boolean(),
+					SnapshotsEnabled: repo.Snapshots.Enabled.Boolean(),
+				}
 			}
 			if err := opts.Client.DependencyClient.AddRegistries(registries); err != nil {
 				return err

go.mod

@@ -1,12 +1,12 @@
 module github.com/google/osv-scanner
 
-go 1.22.7
+go 1.23
 
 require (
-	deps.dev/api/v3 v3.0.0-20241114233204-66e2aed8456e
-	deps.dev/util/maven v0.0.0-20241114233204-66e2aed8456e
-	deps.dev/util/resolve v0.0.0-20241114233204-66e2aed8456e
-	deps.dev/util/semver v0.0.0-20241114233204-66e2aed8456e
+	deps.dev/api/v3 v3.0.0-20241010035105-b3ba03369df1
+	deps.dev/util/maven v0.0.0-20241218032130-b9621a417c93
+	deps.dev/util/resolve v0.0.0-20241218032130-b9621a417c93
+	deps.dev/util/semver v0.0.0-20241010035105-b3ba03369df1
 	github.com/BurntSushi/toml v1.4.0
 	github.com/CycloneDX/cyclonedx-go v0.9.1
 	github.com/charmbracelet/bubbles v0.20.0
@@ -36,7 +36,7 @@ require (
 	golang.org/x/sync v0.9.0
 	golang.org/x/term v0.26.0
 	golang.org/x/vuln v1.0.4
-	google.golang.org/grpc v1.68.0
+	google.golang.org/grpc v1.69.0
 	google.golang.org/protobuf v1.35.2
 	gopkg.in/ini.v1 v1.67.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -103,7 +103,7 @@ require (
 	golang.org/x/sys v0.27.0 // indirect
 	golang.org/x/text v0.20.0 // indirect
 	golang.org/x/tools v0.27.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )

go.sum

@@ -1,13 +1,17 @@
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-deps.dev/api/v3 v3.0.0-20241114233204-66e2aed8456e h1:BMnLPyddIsU4t+dWdyCzuGLPyX2Z2NlZiPERck26504=
-deps.dev/api/v3 v3.0.0-20241114233204-66e2aed8456e/go.mod h1:DyBY3wNVqRCwvb4tLvz6LL/FupH3FMflEROyQAv2Vi0=
-deps.dev/util/maven v0.0.0-20241114233204-66e2aed8456e h1:reRzBTKgHdQX8nLxuJVB0OEiwrJMxuwJ7b9Ryeug7NQ=
-deps.dev/util/maven v0.0.0-20241114233204-66e2aed8456e/go.mod h1:SBW3EribdkZYk6zxi5oVn/ZECvi4ixb7EGgEWfSimNk=
-deps.dev/util/resolve v0.0.0-20241114233204-66e2aed8456e h1:EuDbMM7J7T/8M+dlTZa4qzB/BBIRh1naqhnwKj893Ek=
-deps.dev/util/resolve v0.0.0-20241114233204-66e2aed8456e/go.mod h1:XXi6yRYqhtxw5DvGX/mbG6fHSLn8OgoPowNd8EAxDgk=
-deps.dev/util/semver v0.0.0-20241114233204-66e2aed8456e h1:aKkV/WSPvyJRwhVGv4kxaOZFUFdpDXvVse1ItUZyOjw=
-deps.dev/util/semver v0.0.0-20241114233204-66e2aed8456e/go.mod h1:jkcH+k02gWHBiZ7G4OnUOkSZ6WDq54Pt5DrOA8FN8Uo=
+deps.dev/api/v3 v3.0.0-20241010035105-b3ba03369df1 h1:qvrLinmQrkOLmguTE9FpRfC/e2iud/eVMWigXXTdrdA=
+deps.dev/api/v3 v3.0.0-20241010035105-b3ba03369df1/go.mod h1:DyBY3wNVqRCwvb4tLvz6LL/FupH3FMflEROyQAv2Vi0=
+deps.dev/util/maven v0.0.0-20241218001045-3890182485f3 h1:2Zjbnw7OgDGr3vM7Epwxgv2cMyeBps4X9AHF1SD82ao=
+deps.dev/util/maven v0.0.0-20241218001045-3890182485f3/go.mod h1:SBW3EribdkZYk6zxi5oVn/ZECvi4ixb7EGgEWfSimNk=
+deps.dev/util/maven v0.0.0-20241218032130-b9621a417c93 h1:D+SVetQOkGNkoLmv+YCKqRswjk9FVnoFLu5dfpNsgfY=
+deps.dev/util/maven v0.0.0-20241218032130-b9621a417c93/go.mod h1:gUgWDjJO1XcAzxnS2lqzG3oy74zuKIAQpHwFow7Amb0=
+deps.dev/util/resolve v0.0.0-20241010035105-b3ba03369df1 h1:nHefSxxfjdmo+zn/8fEcfSUkTXi+LKnBNvul21ZI9qw=
+deps.dev/util/resolve v0.0.0-20241010035105-b3ba03369df1/go.mod h1:XXi6yRYqhtxw5DvGX/mbG6fHSLn8OgoPowNd8EAxDgk=
+deps.dev/util/resolve v0.0.0-20241218032130-b9621a417c93 h1:Sshi1EnW++rslYSVyWRnYyRMMFYwCYw7s4uSySLxI9A=
+deps.dev/util/resolve v0.0.0-20241218032130-b9621a417c93/go.mod h1:6AvyUZc8710/zuSpCSs0ugtxP1fR+yUOaqjQvXYR8M4=
+deps.dev/util/semver v0.0.0-20241010035105-b3ba03369df1 h1:t4P0dCCNIrV84B5d7kOIAzji+HrO303Nrw9BB4ktBy0=
+deps.dev/util/semver v0.0.0-20241010035105-b3ba03369df1/go.mod h1:jkcH+k02gWHBiZ7G4OnUOkSZ6WDq54Pt5DrOA8FN8Uo=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/CycloneDX/cyclonedx-go v0.9.1 h1:yffaWOZsv77oTJa/SdVZYdgAgFioCeycBUKkqS2qzQM=
@@ -324,10 +328,16 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg=
 google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M=
+google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U=
+google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 h1:X58yt85/IXCx0Y3ZwN6sEIKZzQtDEYaBWrDvErdXrRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
 google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
 google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
+google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI=
+google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
 google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/manifest/maven.go

@@ -38,7 +38,12 @@ func (e MavenResolverExtractor) Extract(f lockfile.DepFile) ([]lockfile.PackageD
 		return nil, fmt.Errorf("failed to merge profiles: %w", err)
 	}
 	for _, repo := range project.Repositories {
-		if err := e.MavenRegistryAPIClient.AddRegistry(string(repo.URL)); err != nil {
+		if err := e.MavenRegistryAPIClient.AddRegistry(datasource.MavenRegistry{
+			URL:              string(repo.URL),
+			ID:               string(repo.ID),
+			ReleasesEnabled:  repo.Releases.Enabled.Boolean(),
+			SnapshotsEnabled: repo.Snapshots.Enabled.Boolean(),
+		}); err != nil {
 			return nil, fmt.Errorf("failed to add registry %s: %w", repo.URL, err)
 		}
 	}
@@ -57,7 +62,7 @@ func (e MavenResolverExtractor) Extract(f lockfile.DepFile) ([]lockfile.PackageD
 	if registries := e.MavenRegistryAPIClient.GetRegistries(); len(registries) > 0 {
 		clientRegs := make([]client.Registry, len(registries))
 		for i, reg := range registries {
-			clientRegs[i] = client.Registry{URL: reg}
+			clientRegs[i] = reg
 		}
 		if err := e.DependencyClient.AddRegistries(clientRegs); err != nil {
 			return nil, err

internal/manifest/maven_test.go

@@ -259,7 +259,7 @@ func TestParseMavenWithResolver_WithParent(t *testing.T) {
 	`))
 
 	resolutionClient := clienttest.NewMockResolutionClient(t, "fixtures/universe/basic-universe.yaml")
-	client, _ := datasource.NewMavenRegistryAPIClient(srv.URL)
+	client, _ := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: srv.URL, ReleasesEnabled: true})
 	packages, err := manifest.ParseMavenWithResolver(resolutionClient, client, "fixtures/maven/with-parent.xml")
 	if err != nil {
 		t.Errorf("Got unexpected error: %v", err)

internal/resolution/client/client.go

@@ -6,6 +6,7 @@ import (
 
 	pb "deps.dev/api/v3"
 	"deps.dev/util/resolve"
+	"deps.dev/util/resolve/dep"
 	"github.com/google/osv-scanner/internal/depsdev"
 	"github.com/google/osv-scanner/pkg/models"
 	"github.com/google/osv-scanner/pkg/osv"
@@ -34,9 +35,7 @@ type DependencyClient interface {
 	AddRegistries(registries []Registry) error
 }
 
-type Registry struct {
-	URL string
-}
+type Registry interface{}
 
 // PreFetch loads cache, then makes and caches likely queries needed for resolving a package with a list of requirements
 func PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.RequirementVersion, manifestPath string) {
@@ -62,6 +61,10 @@ func PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.Re
 
 	// Use the deps.dev client to fetch complete dependency graphs of our direct imports
 	for _, im := range requirements {
+		// There are potentially a huge number of management/import dependencies.
+		if im.Type.HasAttr(dep.MavenDependencyOrigin) {
+			continue
+		}
 		// Get the preferred version of the import requirement
 		vks, err := c.MatchingVersions(ctx, im.VersionKey)
 		if err != nil || len(vks) == 0 {
@@ -108,21 +111,6 @@ func PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.Re
 			go c.Version(ctx, vk)             //nolint:errcheck
 			go c.Versions(ctx, vk.PackageKey) //nolint:errcheck
 		}
-
-		for _, edge := range resp.GetEdges() {
-			req := edge.GetRequirement()
-			pbvk := nodes[edge.GetToNode()].GetVersionKey()
-			vk := resolve.VersionKey{
-				PackageKey: resolve.PackageKey{
-					System: resolve.System(pbvk.GetSystem()),
-					Name:   pbvk.GetName(),
-				},
-				Version:     req,
-				VersionType: resolve.Requirement,
-			}
-			go c.MatchingVersions(ctx, vk) //nolint:errcheck
-		}
 	}
-
 	// don't bother waiting for goroutines to finish.
 }

internal/resolution/client/maven_registry_client.go

@@ -3,6 +3,7 @@ package client
 import (
 	"context"
 	"encoding/gob"
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -21,7 +22,7 @@ type MavenRegistryClient struct {
 }
 
 func NewMavenRegistryClient(registry string) (*MavenRegistryClient, error) {
-	client, err := datasource.NewMavenRegistryAPIClient(registry)
+	client, err := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: registry, ReleasesEnabled: true})
 	if err != nil {
 		return nil, err
 	}
@@ -147,7 +148,11 @@ func (c *MavenRegistryClient) MatchingVersions(ctx context.Context, vk resolve.V
 
 func (c *MavenRegistryClient) AddRegistries(registries []Registry) error {
 	for _, reg := range registries {
-		if err := c.api.AddRegistry(reg.URL); err != nil {
+		specific, ok := reg.(datasource.MavenRegistry)
+		if !ok {
+			return errors.New("invalid Maven registry information")
+		}
+		if err := c.api.AddRegistry(specific); err != nil {
 			return err
 		}
 	}

internal/resolution/datasource/maven_registry.go

@@ -23,9 +23,8 @@ const MavenCentral = "https://repo.maven.apache.org/maven2"
 var errAPIFailed = errors.New("API query failed")
 
 type MavenRegistryAPIClient struct {
-	defaultRegistry string // Base URL of the default registry that we are making requests
-	// TODO: disable fetching snapshot if specified in pom.xml
-	registries []string // URLs of the registries to fetch projects
+	defaultRegistry MavenRegistry   // The default registry that we are making requests
+	registries      []MavenRegistry // Additional registries specified to fetch projects
 
 	// Cache fields
 	mu             *sync.Mutex
@@ -34,14 +33,29 @@ type MavenRegistryAPIClient struct {
 	metadata       *RequestCache[string, maven.Metadata]
 }
 
-func NewMavenRegistryAPIClient(registry string) (*MavenRegistryAPIClient, error) {
-	if registry == "" {
-		registry = MavenCentral
-	} else if _, err := url.Parse(registry); err != nil {
-		return nil, fmt.Errorf("invalid Maven registry %s: %w", registry, err)
+type MavenRegistry struct {
+	URL    string
+	Parsed *url.URL
+
+	// Information from pom.xml
+	ID               string
+	ReleasesEnabled  bool
+	SnapshotsEnabled bool
+}
+
+func NewMavenRegistryAPIClient(registry MavenRegistry) (*MavenRegistryAPIClient, error) {
+	if registry.URL == "" {
+		registry.URL = MavenCentral
+		registry.ID = "central"
+	}
+	u, err := url.Parse(registry.URL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid Maven registry %s: %w", registry.URL, err)
 	}
+	registry.Parsed = u
 
 	return &MavenRegistryAPIClient{
+		// We assume only downloading releases is allowed on the default registry.
 		defaultRegistry: registry,
 		mu:              &sync.Mutex{},
 		projects:        NewRequestCache[string, maven.Project](),
@@ -60,21 +74,26 @@ func (m *MavenRegistryAPIClient) WithoutRegistries() *MavenRegistryAPIClient {
 	}
 }
 
-// Add adds the given registry to the list of registries if it has not been added.
-func (m *MavenRegistryAPIClient) AddRegistry(registry string) error {
-	if slices.Contains(m.registries, registry) {
-		return nil
+// AddRegistry adds the given registry to the list of registries if it has not been added.
+func (m *MavenRegistryAPIClient) AddRegistry(registry MavenRegistry) error {
+	for _, reg := range m.registries {
+		if reg.ID == registry.ID {
+			return nil
+		}
 	}
 
-	if _, err := url.Parse(registry); err != nil {
+	u, err := url.Parse(registry.URL)
+	if err != nil {
 		return err
 	}
+
+	registry.Parsed = u
 	m.registries = append(m.registries, registry)
 
 	return nil
 }
 
-func (m *MavenRegistryAPIClient) GetRegistries() []string {
+func (m *MavenRegistryAPIClient) GetRegistries() (registries []MavenRegistry) {
 	return m.registries
 }
 
@@ -86,7 +105,10 @@ func (m *MavenRegistryAPIClient) GetRegistries() []string {
 func (m *MavenRegistryAPIClient) GetProject(ctx context.Context, groupID, artifactID, version string) (maven.Project, error) {
 	if !strings.HasSuffix(version, "-SNAPSHOT") {
 		for _, registry := range append(m.registries, m.defaultRegistry) {
-			project, err := m.getProject(ctx, registry, groupID, artifactID, version, "")
+			if !registry.ReleasesEnabled {
+				continue
+			}
+			project, err := m.getProject(ctx, registry.Parsed, groupID, artifactID, version, "")
 			if err == nil {
 				return project, nil
 			}
@@ -96,8 +118,11 @@ func (m *MavenRegistryAPIClient) GetProject(ctx context.Context, groupID, artifa
 	}
 
 	for _, registry := range append(m.registries, m.defaultRegistry) {
-		// Fetch version metadata for snapshot versions.
-		metadata, err := m.getVersionMetadata(ctx, registry, groupID, artifactID, version)
+		// Fetch version metadata for snapshot versions from the registries enabling that.
+		if !registry.SnapshotsEnabled {
+			continue
+		}
+		metadata, err := m.getVersionMetadata(ctx, registry.Parsed, groupID, artifactID, version)
 		if err != nil {
 			continue
 		}
@@ -111,7 +136,7 @@ func (m *MavenRegistryAPIClient) GetProject(ctx context.Context, groupID, artifa
 			}
 		}
 
-		project, err := m.getProject(ctx, registry, groupID, artifactID, version, snapshot)
+		project, err := m.getProject(ctx, registry.Parsed, groupID, artifactID, version, snapshot)
 		if err == nil {
 			return project, nil
 		}
@@ -125,7 +150,7 @@ func (m *MavenRegistryAPIClient) GetProject(ctx context.Context, groupID, artifa
 func (m *MavenRegistryAPIClient) GetVersions(ctx context.Context, groupID, artifactID string) ([]maven.String, error) {
 	var versions []maven.String
 	for _, registry := range append(m.registries, m.defaultRegistry) {
-		metadata, err := m.getArtifactMetadata(ctx, registry, groupID, artifactID)
+		metadata, err := m.getArtifactMetadata(ctx, registry.Parsed, groupID, artifactID)
 		if err != nil {
 			continue
 		}
@@ -138,14 +163,11 @@ func (m *MavenRegistryAPIClient) GetVersions(ctx context.Context, groupID, artif
 
 // getProject fetches a pom.xml specified by groupID, artifactID and version and parses it to maven.Project.
 // For snapshot versions, the exact version value is specified by snapshot.
-func (m *MavenRegistryAPIClient) getProject(ctx context.Context, registry, groupID, artifactID, version, snapshot string) (maven.Project, error) {
+func (m *MavenRegistryAPIClient) getProject(ctx context.Context, registry *url.URL, groupID, artifactID, version, snapshot string) (maven.Project, error) {
 	if snapshot == "" {
 		snapshot = version
 	}
-	u, err := url.JoinPath(registry, strings.ReplaceAll(groupID, ".", "/"), artifactID, version, fmt.Sprintf("%s-%s.pom", artifactID, snapshot))
-	if err != nil {
-		return maven.Project{}, fmt.Errorf("failed to join path: %w", err)
-	}
+	u := registry.JoinPath(strings.ReplaceAll(groupID, ".", "/"), artifactID, version, fmt.Sprintf("%s-%s.pom", artifactID, snapshot)).String()
 
 	return m.projects.Get(u, func() (maven.Project, error) {
 		var proj maven.Project
@@ -158,11 +180,8 @@ func (m *MavenRegistryAPIClient) getProject(ctx context.Context, registry, group
 }
 
 // getVersionMetadata fetches a version level maven-metadata.xml and parses it to maven.Metadata.
-func (m *MavenRegistryAPIClient) getVersionMetadata(ctx context.Context, registry, groupID, artifactID, version string) (maven.Metadata, error) {
-	u, err := url.JoinPath(registry, strings.ReplaceAll(groupID, ".", "/"), artifactID, version, "maven-metadata.xml")
-	if err != nil {
-		return maven.Metadata{}, fmt.Errorf("failed to join path: %w", err)
-	}
+func (m *MavenRegistryAPIClient) getVersionMetadata(ctx context.Context, registry *url.URL, groupID, artifactID, version string) (maven.Metadata, error) {
+	u := registry.JoinPath(strings.ReplaceAll(groupID, ".", "/"), artifactID, version, "maven-metadata.xml").String()
 
 	return m.metadata.Get(u, func() (maven.Metadata, error) {
 		var metadata maven.Metadata
@@ -175,11 +194,8 @@ func (m *MavenRegistryAPIClient) getVersionMetadata(ctx context.Context, registr
 }
 
 // GetArtifactMetadata fetches an artifact level maven-metadata.xml and parses it to maven.Metadata.
-func (m *MavenRegistryAPIClient) getArtifactMetadata(ctx context.Context, registry, groupID, artifactID string) (maven.Metadata, error) {
-	u, err := url.JoinPath(registry, strings.ReplaceAll(groupID, ".", "/"), artifactID, "maven-metadata.xml")
-	if err != nil {
-		return maven.Metadata{}, fmt.Errorf("failed to join path: %w", err)
-	}
+func (m *MavenRegistryAPIClient) getArtifactMetadata(ctx context.Context, registry *url.URL, groupID, artifactID string) (maven.Metadata, error) {
+	u := registry.JoinPath(strings.ReplaceAll(groupID, ".", "/"), artifactID, "maven-metadata.xml").String()
 
 	return m.metadata.Get(u, func() (maven.Metadata, error) {
 		var metadata maven.Metadata