fix: check versions across all the defined maven registries

maven/lib/dependabot/maven/package/package_details_fetcher.rb

@@ -135,7 +135,7 @@ def versions_details_from_xml
             xml = dependency_metadata(repository_details)
             next [] if xml.nil?
 
-            break extract_metadata_from_xml(xml, url)
+            extract_metadata_from_xml(xml, url)
           end
 
           raise PrivateSourceAuthenticationFailure, forbidden_urls.first if version_details.none? && forbidden_urls.any?

maven/spec/dependabot/maven/update_checker/version_finder_spec.rb

@@ -389,7 +389,7 @@
       its([:version]) { is_expected.to eq(version_class.new("23.6-jre")) }
 
       its([:source_url]) do
-        is_expected.to eq("https://private.registry.org/repo")
+        is_expected.to eq("https://repo.maven.apache.org/maven2")
       end
 
       context "when gitlab maven repository is used" do
@@ -434,6 +434,49 @@
         end
       end
 
+      context "when the dependency exists in more than one repository, it should check all the repositories" do
+        let(:credentials) do
+          [
+            Dependabot::Credential.new(
+              {
+                "type" => "maven_repository",
+                "url" => "https://repo.jenkins-ci.org/releases/"
+              }
+            )
+          ]
+        end
+
+        let(:jenkins_releases) do
+          fixture("maven_central_metadata", "with_release_older_version.xml")
+        end
+
+        let(:maven_central_releases) do
+          fixture("maven_central_metadata", "with_release.xml")
+        end
+
+        before do
+          # The Jenkins repo returns an older version
+          stub_request(:get, "https://repo.jenkins-ci.org/releases/com/google/guava/guava/maven-metadata.xml")
+            .to_return(status: 200, body: jenkins_releases)
+          stub_request(:head, "https://repo.jenkins-ci.org/releases/com/google/guava/guava/10.0/guava-10.0-jre.jar")
+            .to_return(status: 200)
+          stub_request(:head, "https://repo.jenkins-ci.org/releases/com/google/guava/guava/23.6-jre/guava-23.6-jre.jar")
+            .to_return(status: 404)
+
+          # In central, we have a newer version
+          stub_request(:get, "https://repo.maven.apache.org/maven2/com/google/guava/guava/maven-metadata.xml")
+            .to_return(status: 200, body: maven_central_releases)
+          stub_request(:head, "https://repo.maven.apache.org/maven2/com/google/guava/guava/23.6-jre/guava-23.6-jre.jar")
+            .to_return(status: 200)
+        end
+
+        its([:version]) { is_expected.to eq(version_class.new("23.6-jre")) }
+
+        its([:source_url]) do
+          is_expected.to eq("https://repo.maven.apache.org/maven2")
+        end
+      end
+
       context "when there is no auth details" do
         let(:credentials) do
           [Dependabot::Credential.new(
@@ -452,7 +495,7 @@
         its([:version]) { is_expected.to eq(version_class.new("23.6-jre")) }
 
         its([:source_url]) do
-          is_expected.to eq("https://private.registry.org/repo")
+          is_expected.to eq("https://repo.maven.apache.org/maven2")
         end
 
         context "when credentials are required" do

maven/spec/fixtures/maven_central_metadata/with_release_older_version.xml

@@ -0,0 +1,18 @@
+<metadata modelVersion="1.1.0">
+  <groupId>com.google.guava</groupId>
+  <artifactId>guava</artifactId>
+  <!--
+    This metadata example represents a repository that contains the dependency we are trying to update, but only an older version rather than the latest.
+    This demonstrates why it is important that Dependabot does not make any assumption about registry order based on discovery.
+    And that instead it should always check across all available repositories to determine the latest version.
+  -->
+  <versioning>
+    <latest>10.0</latest>
+    <release>10.0</release>
+    <versions>
+      <version>9.0</version>
+      <version>10.0</version>
+    </versions>
+    <lastUpdated>20171221012203</lastUpdated>
+  </versioning>
+</metadata>