chore: add config option to disable latest PURL retrieval (#1011)

benmss · web-flow · commit 5aa13219f3a0 · 2025-03-11T14:35:55.000+10:00
Signed-off-by: Ben Selwyn-Smith &lt;benselwynsmith@googlemail.com&gt;
diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini
@@ -59,7 +59,11 @@ use_open_source_insights = True
 redirect_urls =
     gitbox.apache.org
     git-wip-us.apache.org
+# If False, the find-source operation will use git ls-remote to find tags, instead of cloning repositories.
 find_source_should_clone = False
+# If True, the Repo Finder will try to find and use the latest version of a PURL when the provided version fails
+# to return a valid repository.
+try_latest_purl = True
 
 [repofinder.java]
 # The list of maven-like repositories to attempt to retrieve artifact POMs from.
diff --git a/src/macaron/repo_finder/repo_finder.py b/src/macaron/repo_finder/repo_finder.py
@@ -103,6 +103,9 @@ def find_repo(purl: PackageURL, check_latest_version: bool = True) -> tuple[str,
     logger.debug("Analyzing %s with Repo Finder: %s", purl, type(repo_finder))
     found_repo, outcome = repo_finder.find_repo(purl)
 
+    if check_latest_version and not defaults.getboolean("repofinder", "try_latest_purl", fallback=True):
+        check_latest_version = False
+
     if found_repo or not check_latest_version:
         return found_repo, outcome
 
diff --git a/tests/integration/cases/apache_maven_sbom/config.ini b/tests/integration/cases/apache_maven_sbom/config.ini
@@ -0,0 +1,5 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+[repofinder]
+try_latest_purl = False
diff --git a/tests/integration/cases/apache_maven_sbom/test.yaml b/tests/integration/cases/apache_maven_sbom/test.yaml
@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 description: |
@@ -12,6 +12,7 @@ steps:
 - name: Run macaron analyze
   kind: analyze
   options:
+    ini: config.ini
     command_args:
     - -purl
     - pkg:maven/org.apache.maven/maven@4.0.0-alpha-1-SNAPSHOT?type=pom
