chore: add config option to disable latest PURL retrieval

src/macaron/config/defaults.ini

@@ -59,7 +59,11 @@ use_open_source_insights = True
 redirect_urls =
     gitbox.apache.org
     git-wip-us.apache.org
+# If False, the find-source operation will use git ls-remote to find tags, instead of cloning repositories.
 find_source_should_clone = False
+# If True, the Repo Finder will try to find and use the latest version of a PURL when the provided version fails
+# to return a valid repository.
+try_latest_purl = True
 
 [repofinder.java]
 # The list of maven-like repositories to attempt to retrieve artifact POMs from.

src/macaron/repo_finder/repo_finder.py

@@ -103,6 +103,9 @@ def find_repo(purl: PackageURL, check_latest_version: bool = True) -> tuple[str,
     logger.debug("Analyzing %s with Repo Finder: %s", purl, type(repo_finder))
     found_repo, outcome = repo_finder.find_repo(purl)
 
+    if check_latest_version and not defaults.getboolean("repofinder", "try_latest_purl", fallback=True):
+        check_latest_version = False
+
     if found_repo or not check_latest_version:
         return found_repo, outcome
 

tests/integration/cases/apache_maven_sbom/config.ini

@@ -0,0 +1,5 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+[repofinder]
+try_latest_purl = False

tests/integration/cases/apache_maven_sbom/test.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 description: |
@@ -12,6 +12,7 @@ steps:
 - name: Run macaron analyze
   kind: analyze
   options:
+    ini: config.ini
     command_args:
     - -purl
     - pkg:maven/org.apache.maven/maven@4.0.0-alpha-1-SNAPSHOT?type=pom