feat: add Java/Maven resolver with maven attestor support

[Sandipmandal25]

Description

Adds a Java/Maven resolver that supports package resolution from two complementary sources:

1. File-path resolver
   Maps local Maven and Gradle cache paths (e.g. ~/.m2/repository, ~/.gradle/caches) to
   pkg:maven/{groupId}/{artifactId}@{version} PURLs.

2. Maven attestor extractor
   Extracts structured dependencies from the Witness Maven attestor.
   This is required on macOS where syscall-based file tracing is not available.

fix #16

Changes Made

• pkg/resolver/java.go
  Implements JavaResolver for Maven local repository and Gradle cache layouts

• pkg/resolver/java_test.go
  Adds 12 table-driven unit tests

• pkg/resolver/resolver.go
  Registers NewJavaResolver() in the resolver chain

• pkg/generator/generator.go

  • Adds extractMavenAttestorPackages for parsing attestor dependencies
  • Adds mergeNewPackages to deduplicate against file-path results

• cmd/generate.go
  Enables maven in default --types

• test/java-sample-attestation.json
  Sample attestation for manual testing

Testing

Unit tests

go test ./pkg/resolver/... -run TestJava -v

End-to-end (Witness → SBOM → Trivy scan)

witness run -k /tmp/test-key.pem -s maven-build -a maven -o /tmp/java-attestation.json -- mvn dependency:resolve

go run . generate /tmp/java-attestation.json --format cdx15 -o /tmp/java-sbom.cdx.json

trivy sbom /tmp/java-sbom.cdx.json

Results

• Trivy successfully detected:

  • CVE-2020-15250 (MEDIUM) in junit:junit@4.11
  • Fixed in 4.13.1

Witness maven attestor capturing junit:junit:4.11 and hamcrest-core:1.3 during mvn dependency:resolve

sbomit parsing 4 attestations (including maven=1) and writing CycloneDX SBOM

Generated SPDX output showing correct pkg:maven/org.springframework/spring-core@6.1.0 PURL format