feat: add transitive extraction for Maven pom.xml

[cuixq]

This PR adds a new pomxmlnet extractor to first parse pom.xml then perform dependency resolution to extract both direct and transitive dependencies. Most code are migrated from OSV-Scanner but switch to use the virtual file system.

To achieve this goal, this PR also adds some internal packages:

• mavenutil: Maven utilities to help parse and resolve dependencies
• datasource: clients to talk to registries for package and version information
• resolution: clients (and tests) needed for dependency resolution

We still need to figure out how to registry this extractor to the list and only enable it with some flags.

[another-rex]

LGTM with a quick pass.

[erikvarga]

Mostly had a couple of style-related comments (consistency with rest of OSV-SCALIBR and google-internal linters), I'll defer to Rex for the functional parts of the migration from the OSV-Scanner.

[another-rex]

Added a bunch of comments, a lot of them are probably from a lack of domain knowledge about Maven, feel free to ignore the ones that don't make sense.

[another-rex]

LGTM

[G-Rath]

fyi this bumps the codebase to Go 1.23 which technically goes against the "2 latest versions" policy we're following in osv-scanner and that I proposed bring over in #383 - that was going to get landed later this month once Go 1.24 comes out

[G-Rath]

oh I just realised this PR is actually still open, but it's also in main - @cuixq was that actually intentional or has something gone wrong with copybara?

[another-rex]

We're leaving this open to see if copybara will actually close it automatically when it does garbage collection 😅 . Doesn't look like it so far...

[erikvarga]

We're leaving this open to see if copybara will actually close it automatically when it does garbage collection 😅 . Doesn't look like it so far...

Copybara might not handle commits well that we had to patch and merge ourselves. I'd say we can just close this manually.