diff --git a/maven/lib/dependabot/maven/package/package_details_fetcher.rb b/maven/lib/dependabot/maven/package/package_details_fetcher.rb index e448ae5e987..ffd426c4cb2 100644 --- a/maven/lib/dependabot/maven/package/package_details_fetcher.rb +++ b/maven/lib/dependabot/maven/package/package_details_fetcher.rb @@ -135,7 +135,7 @@ def versions_details_from_xml xml = dependency_metadata(repository_details) next [] if xml.nil? - break extract_metadata_from_xml(xml, url) + extract_metadata_from_xml(xml, url) end raise PrivateSourceAuthenticationFailure, forbidden_urls.first if version_details.none? && forbidden_urls.any? diff --git a/maven/spec/dependabot/maven/update_checker/version_finder_spec.rb b/maven/spec/dependabot/maven/update_checker/version_finder_spec.rb index 0b2845c01be..d37ae7bd85c 100644 --- a/maven/spec/dependabot/maven/update_checker/version_finder_spec.rb +++ b/maven/spec/dependabot/maven/update_checker/version_finder_spec.rb @@ -389,7 +389,7 @@ its([:version]) { is_expected.to eq(version_class.new("23.6-jre")) } its([:source_url]) do - is_expected.to eq("https://private.registry.org/repo") + is_expected.to eq("https://repo.maven.apache.org/maven2") end context "when gitlab maven repository is used" do @@ -434,6 +434,49 @@ end end + context "when the dependency exists in more than one repository, it should check all the repositories" do + let(:credentials) do + [ + Dependabot::Credential.new( + { + "type" => "maven_repository", + "url" => "https://repo.jenkins-ci.org/releases/" + } + ) + ] + end + + let(:jenkins_releases) do + fixture("maven_central_metadata", "with_release_older_version.xml") + end + + let(:maven_central_releases) do + fixture("maven_central_metadata", "with_release.xml") + end + + before do + # The Jenkins repo returns an older version + stub_request(:get, "https://repo.jenkins-ci.org/releases/com/google/guava/guava/maven-metadata.xml") + .to_return(status: 200, body: jenkins_releases) + stub_request(:head, "https://repo.jenkins-ci.org/releases/com/google/guava/guava/10.0/guava-10.0-jre.jar") + .to_return(status: 200) + stub_request(:head, "https://repo.jenkins-ci.org/releases/com/google/guava/guava/23.6-jre/guava-23.6-jre.jar") + .to_return(status: 404) + + # In central, we have a newer version + stub_request(:get, "https://repo.maven.apache.org/maven2/com/google/guava/guava/maven-metadata.xml") + .to_return(status: 200, body: maven_central_releases) + stub_request(:head, "https://repo.maven.apache.org/maven2/com/google/guava/guava/23.6-jre/guava-23.6-jre.jar") + .to_return(status: 200) + end + + its([:version]) { is_expected.to eq(version_class.new("23.6-jre")) } + + its([:source_url]) do + is_expected.to eq("https://repo.maven.apache.org/maven2") + end + end + context "when there is no auth details" do let(:credentials) do [Dependabot::Credential.new( @@ -452,7 +495,7 @@ its([:version]) { is_expected.to eq(version_class.new("23.6-jre")) } its([:source_url]) do - is_expected.to eq("https://private.registry.org/repo") + is_expected.to eq("https://repo.maven.apache.org/maven2") end context "when credentials are required" do diff --git a/maven/spec/fixtures/maven_central_metadata/with_release_older_version.xml b/maven/spec/fixtures/maven_central_metadata/with_release_older_version.xml new file mode 100644 index 00000000000..8bfa56e3117 --- /dev/null +++ b/maven/spec/fixtures/maven_central_metadata/with_release_older_version.xml @@ -0,0 +1,18 @@ + + com.google.guava + guava + + + 10.0 + 10.0 + + 9.0 + 10.0 + + 20171221012203 + +