feat: add command to run repo and commit finder without analysis

[benmss]

This pull request adds a new command find-source that requires a PURL, and optionally accepts a repository path as input. If no repository path is provided, the command will call the Repo Finder and Commit Finder to find the repository and commit of the provided PURL. If a repository is provided as input, only the Commit Finder will be called.

Closes #781

[tromai]

Looking again at the implementation of this prepare_repo function, it only uses self at a few locations to run static methods:

• macaron/src/macaron/slsa_analyzer/analyzer.py

  Line 867 in 2d3a64a

  git_service = self.get_git_service(resolved_remote_path)

• macaron/src/macaron/slsa_analyzer/analyzer.py

  Line 878 in 2d3a64a

  resolved_local_path = self._resolve_local_path(self.local_repos_path, repo_path)

• macaron/src/macaron/slsa_analyzer/analyzer.py

  Line 913 in 2d3a64a

  git_service = self.get_git_service(origin_remote_url)

Do you think it would be worth while to refactor this method to another module to avoid having to silent the pylint cyclic-import error?

[tromai]

I tried to run the find-source command against a Maven PURL that doesn't have a version:

$ macaron find-source -purl pkg:maven/org.apache.maven/maven
2024-08-16 11:16:55,421 [INFO] Setting the output directory to .../output
2024-08-16 11:16:55,422 [INFO] The logs will be stored in debug.log
2024-08-16 11:16:55,424 [ERROR] Could not find repo for PURL: pkg:maven/apache/maven

I believe we don't support Maven PURL without a version now -

macaron/src/macaron/repo_finder/repo_finder_java.py

Lines 53 to 56 in 44dbf0a

	if not version:
	logger.debug("Version missing for maven artifact: %s:%s", group, artifact)
	# TODO add support for Java artifacts without a version
	return ""

However, the debug message doesn't show up if I ran it without the verbose flag. I believe we should let the user of the find-source command know about this behavior by default.

[tromai]

I also think it's great to add an integration test case for the new command too (may be we can revisit this after we settle on how to return the results to the user).

[tromai]

Thanks for making the refactoring. However, I think prepare_repo, get_git_service and get_local_repos_path can be moved to a new package within src/macaron/ (for example, prepare_repo is used both within analyzer.py and repo_finder.py).
We could name this new package something like "repo_utils" or something like that 🤔
@behnazh-w I would love to know what you think about this.