identify jar files by file names only for GAV from required version

[DmitriyLewen]

Description

When we determinate jar package by file name (

trivy/pkg/javadb/client.go

Lines 145 to 176 in ad977a4

	func (d *DB) SearchByArtifactID(artifactID string) (string, error) {
	indexes, err := d.driver.SelectIndexesByArtifactIDAndFileType(artifactID, types.JarType)
	if err != nil {
	return "", xerrors.Errorf("select error: %w", err)
	} else if len(indexes) == 0 {
	return "", xerrors.Errorf("artifactID %s: %w", artifactID, jar.ArtifactNotFoundErr)
	}
	sort.Slice(indexes, func(i, j int) bool {
	return indexes[i].GroupID < indexes[j].GroupID
	})
	// Some artifacts might have the same artifactId.
	// e.g. "javax.servlet:jstl" and "jstl:jstl"
	groupIDs := make(map[string]int)
	for _, index := range indexes {
	if i, ok := groupIDs[index.GroupID]; ok {
	groupIDs[index.GroupID] = i + 1
	continue
	}
	groupIDs[index.GroupID] = 1
	}
	maxCount := 0
	var groupID string
	for k, v := range groupIDs {
	if v > maxCount {
	maxCount = v
	groupID = k
	}
	}
	return groupID, nil
	}

) - we check only number of indexes.
But we also should check that required version (version from file name) exists.

Discussion about this case - #5577

Example:
there is elasticsearch-7.10.2.jar file built from source (sha1 for file != sha1 from trivy-java-db).
So we try to find GroupID by ArtifactID.
Trivy currently takes GroupID with maximum number of versions:

POM was determined in a heuristic way	{"file": "elasticsearch-7.10.2.jar", "artifact": "software.amazon.awssdk:elasticsearch:7.10.2"}

But software.amazon.awssdk:elasticsearch doesn't have 7.10.2 version - https://mvnrepository.com/artifact/software.amazon.awssdk/elasticsearch