diff --git a/maven/lib/dependabot/maven/file_parser/property_value_finder.rb b/maven/lib/dependabot/maven/file_parser/property_value_finder.rb index 948764ff2e7..3bde0ef8a06 100644 --- a/maven/lib/dependabot/maven/file_parser/property_value_finder.rb +++ b/maven/lib/dependabot/maven/file_parser/property_value_finder.rb @@ -17,8 +17,9 @@ class PropertyValueFinder DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}.freeze - def initialize(dependency_files:) + def initialize(dependency_files:, credentials: []) @dependency_files = dependency_files + @credentials = credentials end def property_details(property_name:, callsite_pom:) @@ -119,6 +120,7 @@ def repositories_finder @repositories_finder ||= RepositoriesFinder.new( dependency_files: dependency_files, + credentials: @credentials, evaluate_properties: false ) end diff --git a/maven/lib/dependabot/maven/file_parser/repositories_finder.rb b/maven/lib/dependabot/maven/file_parser/repositories_finder.rb index 1f66a25b7f3..48f708d5556 100644 --- a/maven/lib/dependabot/maven/file_parser/repositories_finder.rb +++ b/maven/lib/dependabot/maven/file_parser/repositories_finder.rb @@ -26,8 +26,9 @@ class RepositoriesFinder CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2" SUPER_POM = { url: CENTRAL_REPO_URL, id: "central" } - def initialize(dependency_files:, evaluate_properties: true) + def initialize(dependency_files:, credentials: [], evaluate_properties: true) @dependency_files = dependency_files + @credentials = credentials # We need the option not to evaluate properties so as not to have a # circular dependency between this class and the PropertyValueFinder @@ -39,7 +40,7 @@ def initialize(dependency_files:, evaluate_properties: true) def repository_urls(pom:, exclude_inherited: false) entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited) ids = Set.new - entries.map do |entry| + urls_from_credentials + entries.map do |entry| next if entry[:id] && ids.include?(entry[:id]) ids.add(entry[:id]) unless entry[:id].nil? @@ -119,7 +120,7 @@ def internal_dependency_poms end def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls) - (repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url| + (urls_from_credentials + repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url| url = remote_pom_url(group_id, artifact_id, version, base_url) @maven_responses ||= {} @@ -155,6 +156,12 @@ def remote_pom_url(group_id, artifact_id, version, base_repo_url) "#{artifact_id}-#{version}.pom" end + def urls_from_credentials + @credentials. + select { |cred| cred["type"] == "maven_repository" }. + filter_map { |cred| cred["url"]&.strip&.gsub(%r{/$}, "") } + end + def contains_property?(value) value.match?(property_regex) end diff --git a/maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb b/maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb index 7a8bbc202c4..5c442440d12 100644 --- a/maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb +++ b/maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb @@ -5,8 +5,13 @@ require "dependabot/maven/file_parser/repositories_finder" RSpec.describe Dependabot::Maven::FileParser::RepositoriesFinder do - let(:finder) { described_class.new(dependency_files: dependency_files) } - + let(:finder) do + described_class.new( + dependency_files: dependency_files, + credentials: credentials + ) + end + let(:credentials) { [] } let(:dependency_files) { [base_pom] } let(:base_pom) do Dependabot::DependencyFile.new( @@ -51,6 +56,25 @@ end end + context "with credentials" do + let(:base_pom_fixture_name) { "basic_pom.xml" } + let(:credentials) do + [ + { "type" => "maven_repository", "url" => "https://example.com" }, + { "type" => "git_source", "url" => "https://github.com" } # ignored since it's not maven + ] + end + + it "adds the credential urls first" do + expect(repository_urls).to eq( + %w( + https://example.com + https://repo.maven.apache.org/maven2 + ) + ) + end + end + context "that use properties" do let(:base_pom_fixture_name) { "property_repo_pom.xml" }