Support environment variables in Maven settings.xml

[candrews]

Description

Trivy's maven settings.xml parser currently does not support environment variable interpolation.

As documented at https://maven.apache.org/settings.html

The contents of settings.xml can be interpolated using the following expressions:
${user.home} and all other system properties
${env.HOME} etc. for environment variables

For example, when given this settings.xml:

<settings>
    <servers>
        <server>
            <id>my-server</id>
            <username>${env.USERNAME}</username>
            <password>${env.PASSWORD}</password>
        </server>
    </servers>
</settings>

Currently, Trivy uses the username env.USERNAME when it should use whatever the value of the environment variable USERNAME is.

I believe https://github.com/aquasecurity/trivy/blob/v0.53.0/pkg/dependency/parser/java/pom/settings.go is where the change would be made.

Target

Filesystem

Scanner

None