maven: implement replaces-base to avoid calling central

maven/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -21,12 +21,7 @@ class RepositoriesFinder
         REPOSITORY_SELECTOR = "repositories > repository, " \
                               "pluginRepositories > pluginRepository"
 
-        # The Central Repository is included in the Super POM, which is
-        # always inherited from.
-        CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
-        SUPER_POM = { url: CENTRAL_REPO_URL, id: "central" }
-
-        def initialize(dependency_files:, credentials: [], evaluate_properties: true)
+        def initialize(dependency_files: [], credentials: [], evaluate_properties: true)
           @dependency_files = dependency_files
           @credentials = credentials
 
@@ -36,6 +31,11 @@ def initialize(dependency_files:, credentials: [], evaluate_properties: true)
           @evaluate_properties = evaluate_properties
         end
 
+        def central_repo_url
+          base = @credentials.find { |cred| cred["type"] == "maven_repository" && cred["replaces-base"] == true }
+          base ? base["url"] : "https://repo.maven.apache.org/maven2"
+        end
+
         # Collect all repository URLs from this POM and its parents
         def repository_urls(pom:, exclude_inherited: false)
           entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited)
@@ -52,6 +52,12 @@ def repository_urls(pom:, exclude_inherited: false)
 
         attr_reader :dependency_files
 
+        # The Central Repository is included in the Super POM, which is
+        # always inherited from.
+        def super_pom
+          { url: central_repo_url, id: "central" }
+        end
+
         def gather_repository_urls(pom:, exclude_inherited: false)
           repos_in_pom =
             Nokogiri::XML(pom.content).
@@ -61,11 +67,11 @@ def gather_repository_urls(pom:, exclude_inherited: false)
             select { |entry| entry[:url].start_with?("http") }.
             map { |entry| { url: evaluated_value(entry[:url], pom).gsub(%r{/$}, ""), id: entry[:id] } }
 
-          return repos_in_pom + [SUPER_POM] if exclude_inherited
+          return repos_in_pom + [super_pom] if exclude_inherited
 
           urls_in_pom = repos_in_pom.map { |repo| repo[:url] }
           unless (parent = parent_pom(pom, urls_in_pom))
-            return repos_in_pom + [SUPER_POM]
+            return repos_in_pom + [super_pom]
           end
 
           repos_in_pom + gather_repository_urls(pom: parent)
@@ -120,13 +126,13 @@ def internal_dependency_poms
         end
 
         def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
-          (urls_from_credentials + repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
+          (urls_from_credentials + repo_urls + [central_repo_url]).uniq.each do |base_url|
             url = remote_pom_url(group_id, artifact_id, version, base_url)
 
             @maven_responses ||= {}
             @maven_responses[url] ||= Dependabot::RegistryClient.get(
               url: url,
-              # We attempt to find dependencies in private repos before failing over to the CENTRAL_REPO_URL,
+              # We attempt to find dependencies in private repos before failing over to the central repository,
               # but this can burn a lot of a job's time against slow servers due to our `read_timeout` being 20 seconds.
               #
               # In order to avoid the overall job timing out, we only make one retry attempt

maven/lib/dependabot/maven/metadata_finder.rb

@@ -149,7 +149,7 @@ def maven_repo_url
 
         source&.fetch(:url, nil) ||
           source&.fetch("url") ||
-          Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+          Maven::FileParser::RepositoriesFinder.new(credentials: credentials).central_repo_url
       end
 
       def maven_repo_dependency_url

maven/lib/dependabot/maven/update_checker/version_finder.rb

@@ -272,7 +272,7 @@ def version_class
 
         def central_repo_urls
           central_url_without_protocol =
-            Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL.
+            Maven::FileParser::RepositoriesFinder.new(credentials: credentials).central_repo_url.
             gsub(%r{^.*://}, "")
 
           %w(http:// https://).map { |p| p + central_url_without_protocol }

maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb

@@ -21,6 +21,24 @@
   end
   let(:base_pom_fixture_name) { "basic_pom.xml" }
 
+  describe "#central_repo_url" do
+    it "returns the central repo URL by default" do
+      expect(finder.central_repo_url).to eq("https://repo.maven.apache.org/maven2")
+    end
+    context "if replaces-base is present" do
+      let(:credentials) do
+        [{
+          "type" => "maven_repository",
+          "url" => "https://example.com",
+          "replaces-base" => true
+        }]
+      end
+      it "returns that URL instead" do
+        expect(finder.central_repo_url).to eq("https://example.com")
+      end
+    end
+  end
+
   describe "#repository_urls" do
     subject(:repository_urls) { finder.repository_urls(pom: pom) }
     let(:pom) { base_pom }