Merge pull request #5884 from dependabot/jakecoffman/maven-creds-settings-xml

add Maven credential metadata to the URLs it searches for POM files

Author: jakecoffman

maven/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -17,8 +17,9 @@ class PropertyValueFinder
 
         DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}.freeze
 
-        def initialize(dependency_files:)
+        def initialize(dependency_files:, credentials: [])
           @dependency_files = dependency_files
+          @credentials = credentials
         end
 
         def property_details(property_name:, callsite_pom:)
@@ -119,6 +120,7 @@ def repositories_finder
           @repositories_finder ||=
             RepositoriesFinder.new(
               dependency_files: dependency_files,
+              credentials: @credentials,
               evaluate_properties: false
             )
         end

maven/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -26,8 +26,9 @@ class RepositoriesFinder
         CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
         SUPER_POM = { url: CENTRAL_REPO_URL, id: "central" }
 
-        def initialize(dependency_files:, evaluate_properties: true)
+        def initialize(dependency_files:, credentials: [], evaluate_properties: true)
           @dependency_files = dependency_files
+          @credentials = credentials
 
           # We need the option not to evaluate properties so as not to have a
           # circular dependency between this class and the PropertyValueFinder
@@ -39,7 +40,7 @@ def initialize(dependency_files:, evaluate_properties: true)
         def repository_urls(pom:, exclude_inherited: false)
           entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited)
           ids = Set.new
-          entries.map do |entry|
+          urls_from_credentials + entries.map do |entry|
             next if entry[:id] && ids.include?(entry[:id])
 
             ids.add(entry[:id]) unless entry[:id].nil?
@@ -119,7 +120,7 @@ def internal_dependency_poms
         end
 
         def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
-          (repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
+          (urls_from_credentials + repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
             url = remote_pom_url(group_id, artifact_id, version, base_url)
 
             @maven_responses ||= {}
@@ -155,6 +156,12 @@ def remote_pom_url(group_id, artifact_id, version, base_repo_url)
             "#{artifact_id}-#{version}.pom"
         end
 
+        def urls_from_credentials
+          @credentials.
+            select { |cred| cred["type"] == "maven_repository" }.
+            filter_map { |cred| cred["url"]&.strip&.gsub(%r{/$}, "") }
+        end
+
         def contains_property?(value)
           value.match?(property_regex)
         end

maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb

@@ -5,8 +5,13 @@
 require "dependabot/maven/file_parser/repositories_finder"
 
 RSpec.describe Dependabot::Maven::FileParser::RepositoriesFinder do
-  let(:finder) { described_class.new(dependency_files: dependency_files) }
-
+  let(:finder) do
+    described_class.new(
+      dependency_files: dependency_files,
+      credentials: credentials
+    )
+  end
+  let(:credentials) { [] }
   let(:dependency_files) { [base_pom] }
   let(:base_pom) do
     Dependabot::DependencyFile.new(
@@ -51,6 +56,25 @@
         end
       end
 
+      context "with credentials" do
+        let(:base_pom_fixture_name) { "basic_pom.xml" }
+        let(:credentials) do
+          [
+            { "type" => "maven_repository", "url" => "https://example.com" },
+            { "type" => "git_source", "url" => "https://github.com" } # ignored since it's not maven
+          ]
+        end
+
+        it "adds the credential urls first" do
+          expect(repository_urls).to eq(
+            %w(
+              https://example.com
+              https://repo.maven.apache.org/maven2
+            )
+          )
+        end
+      end
+
       context "that use properties" do
         let(:base_pom_fixture_name) { "property_repo_pom.xml" }