From 8d88472f7a2d42e1ca7e2e659fd01c1121559c0f Mon Sep 17 00:00:00 2001
From: Holly Gong <gongh@google.com>
Date: Tue, 17 Dec 2024 17:12:10 +1100
Subject: [PATCH] add maven support

Signed-off-by: Holly Gong <gongh@google.com>
---
 .../internal/pkgchecker/ecosystems.go         |  2 +-
 .../internal/pkgchecker/package_check.go      | 20 +++++++++++++-
 .../internal/pkgchecker/package_check_test.go | 26 +++++++++++++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/tools/osv-linter/internal/pkgchecker/ecosystems.go b/tools/osv-linter/internal/pkgchecker/ecosystems.go
index 1740926..54a088a 100644
--- a/tools/osv-linter/internal/pkgchecker/ecosystems.go
+++ b/tools/osv-linter/internal/pkgchecker/ecosystems.go
@@ -66,7 +66,7 @@ func ExistsInEcosystem(pkg string, ecosystem string) bool {
 	case "Linux":
 		return true
 	case "Maven":
-		return true
+		return existsInMaven(pkg)
 	case "npm":
 		return existsInNpm(pkg)
 	case "NuGet":
diff --git a/tools/osv-linter/internal/pkgchecker/package_check.go b/tools/osv-linter/internal/pkgchecker/package_check.go
index 5d21369..4288e29 100644
--- a/tools/osv-linter/internal/pkgchecker/package_check.go
+++ b/tools/osv-linter/internal/pkgchecker/package_check.go
@@ -62,8 +62,26 @@ func existsInHackage(pkg string) bool {
 	return checkPackageExists(packageInstanceURL)
 }
 
+// Validate the existence of a package in Maven.
+func existsInMaven(pkg string) bool {
+	if !strings.Contains(pkg, ":") {
+		return false
+	}
+	group_id := strings.Split(pkg, ":")[0]
+	artifact_id := strings.Split(pkg, ":")[1]
+	packageInstanceURL := fmt.Sprintf("%s/?q=g:%s%%20AND%%20a:%s", EcosystemBaseURLs["Maven"], group_id, artifact_id)
+	fmt.Println(packageInstanceURL)
+
+	// Needs to use GET instead of HEAD for Maven
+	resp, err := faulttolerant.Get(packageInstanceURL)
+	if err != nil {
+		return false
+	}
+
+	return resp.StatusCode == http.StatusOK
+}
+
 // Validate the existence of a package in PyPI.
-// Note: for malicious packages, if the package has been removed, the verify will be fail
 func existsInPyPI(pkg string) bool {
 	packageInstanceURL := fmt.Sprintf("%s/%s/json", EcosystemBaseURLs["PyPI"], strings.ToLower(pkg))
 
diff --git a/tools/osv-linter/internal/pkgchecker/package_check_test.go b/tools/osv-linter/internal/pkgchecker/package_check_test.go
index 01fdebf..17a8b00 100644
--- a/tools/osv-linter/internal/pkgchecker/package_check_test.go
+++ b/tools/osv-linter/internal/pkgchecker/package_check_test.go
@@ -196,6 +196,32 @@ func Test_existsInHackage(t *testing.T) {
 	}
 }
 
+func Test_existsInMaven(t *testing.T) {
+	tests := []struct {
+		name string
+		pkg  string
+		want bool
+	}{
+		{
+			name: "existing package",
+			pkg:  "de.gematik.refv.commons:commons",
+			want: true,
+		},
+		{
+			name: "non-existing package",
+			pkg:  "non-existing-package",
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := existsInMaven(tt.pkg); got != tt.want {
+				t.Errorf("existsInMaven() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func Test_existsInPyPI(t *testing.T) {
 	tests := []struct {
 		name string