feat(maven): improve PreFetch for Maven (#1485)

We disabled `PreFetch` in
#1466 and this caused the
resolution performance worse for deps.dev client.

To enable `PreFetch`, we need to avoid unnecessary requests of
`maven-metadata.xml` files which is a result of calling
`MatchingVersions` and `Versions`.

This PR improves the logic in `PreFetch` so that `MatchingVersions` is
only called for non-soft Maven requirements and `Versions` is called for
ecosystems other than Maven.

It used to take about 1m to resove
[pom.xml](https://github.com/google/osv-scanner/blob/main/internal/remediation/fixtures/zeppelin-server/pom.xml)
without `PreFetch` enabled and now it takes less than 20 seconds.

internal/resolution/client/client.go

@@ -7,6 +7,7 @@ import (
 	pb "deps.dev/api/v3"
 	"deps.dev/util/resolve"
 	"deps.dev/util/resolve/dep"
+	"deps.dev/util/semver"
 	"github.com/google/osv-scanner/internal/depsdev"
 	"github.com/google/osv-scanner/pkg/models"
 	"github.com/google/osv-scanner/pkg/osv"
@@ -65,21 +66,30 @@ func PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.Re
 		if im.Type.HasAttr(dep.MavenDependencyOrigin) {
 			continue
 		}
-		// Get the preferred version of the import requirement
-		vks, err := c.MatchingVersions(ctx, im.VersionKey)
-		if err != nil || len(vks) == 0 {
-			continue
-		}
 
-		vk := vks[len(vks)-1]
-
-		// We prefer the exact version for soft requirements.
-		for _, v := range vks {
-			if im.Version == v.Version {
-				vk = v
-				break
+		var vk resolve.Version
+		var constraint *semver.Constraint
+		// Maven registry client may be slow calling MatchingVersions which makes requests to `maven-metadata.xml`.
+		// We can avoid this by only calling MatchingVersions for non-soft requirements.
+		if im.System == resolve.Maven {
+			if constraint, err = semver.Maven.ParseConstraint(im.Version); err != nil {
+				continue
 			}
 		}
+		if constraint != nil && constraint.IsSimple() {
+			// If the requirement is a simple version, use it as the VersionKey,
+			// so we do not need to call MatchingVersions to get available versions.
+			vk = resolve.Version{
+				VersionKey: im.VersionKey,
+			}
+		} else {
+			// Get the preferred version of the import requirement
+			vks, err := c.MatchingVersions(ctx, im.VersionKey)
+			if err != nil || len(vks) == 0 {
+				continue
+			}
+			vk = vks[len(vks)-1]
+		}
 
 		// Make a request for the precomputed dependency tree
 		resp, err := insights.GetDependencies(ctx, &pb.GetDependenciesRequest{
@@ -107,9 +117,12 @@ func PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.Re
 			}
 
 			// TODO: We might want to limit the number of goroutines this creates.
-			go c.Requirements(ctx, vk)        //nolint:errcheck
-			go c.Version(ctx, vk)             //nolint:errcheck
-			go c.Versions(ctx, vk.PackageKey) //nolint:errcheck
+			go c.Requirements(ctx, vk) //nolint:errcheck
+			go c.Version(ctx, vk)      //nolint:errcheck
+			if vk.System != resolve.Maven {
+				// Avoid making requests to `maven-metadata.xml`
+				go c.Versions(ctx, vk.PackageKey) //nolint:errcheck
+			}
 		}
 	}
 	// don't bother waiting for goroutines to finish.

internal/scalibrextract/language/java/pomxmlnet/extractor.go

@@ -132,8 +132,7 @@ func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) ([]
 	}
 	overrideClient.AddVersion(root, reqs)
 
-	// TODO: only run `PreFetch` for deps.dev client
-	// client.PreFetch(ctx, overrideClient, reqs, filepath.Join(input.Root, input.Path))
+	client.PreFetch(ctx, overrideClient, reqs, filepath.Join(input.Root, input.Path))
 	g, err := resolver.Resolve(ctx, root.VersionKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed resolving %v: %w", root, err)