feat: fall back to offline extractor if the transitive one fails

[cuixq]

#2077

Currently, if the extractor is enhanced but the extraction failed, no result will be returned. A better user experience is to fall back to the offline extractor so at least the direct dependencies are returned.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 55.81395% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.46%. Comparing base (9284ae6) to head (a7617a1).
⚠️ Report is 449 commits behind head on main.

Files with missing lines	Patch %	Lines
...nguage/java/pomxmlenhanceable/pomxmlenhanceable.go	45.45%	12 Missing ⚠️
.../requirementsenhancable/requirementsenhanceable.go	66.66%	5 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2079      +/-   ##
==========================================
- Coverage   67.49%   67.46%   -0.04%     
==========================================
  Files         172      172              
  Lines       16240    16273      +33     
==========================================
+ Hits        10961    10978      +17     
- Misses       4603     4618      +15     
- Partials      676      677       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cuixq]

@another-rex @G-Rath can you take a look on this PR see if this looks reasonable to you? thanks.

[G-Rath]

this looks fine, though I think it speaks to how useful it'd be to have enrichers supported 😅

[moritzschmitz-oviva]

@cuixq is it possible this introduced a bug?

Please see my question here: #2163.

In the discussion attached there is the quarkus-vertx dependency explicitly mentioned. It cannot be found on deps.dev.

As a result in V2.1 the run fails. In v2.2 it doesn't fail no more, but it also doesn't list the other vulnerabilities any more.

[cuixq]

@moritzschmitz-oviva I replied to that question before seeing the comment here so I copied the information there. I will post my replies in that thread!