Maven: fix forgetting repositories seen in earlier POMs

maven/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -31,6 +31,9 @@ def initialize(pom_fetcher:, dependency_files: [], credentials: [], evaluate_pro
           # circular dependency between this class and the PropertyValueFinder
           # class
           @evaluate_properties = evaluate_properties
+          # Aggregates URLs seen in POMs to avoid short term memory loss.
+          # For instance a repository in a child POM might apply to the parent too.
+          @known_urls = []
         end
 
         def central_repo_url
@@ -42,12 +45,17 @@ def central_repo_url
         def repository_urls(pom:, exclude_inherited: false)
           entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited)
           ids = Set.new
-          urls_from_credentials + entries.map do |entry|
+          @known_urls += entries.map do |entry|
             next if entry[:id] && ids.include?(entry[:id])
 
             ids.add(entry[:id]) unless entry[:id].nil?
-            entry[:url]
-          end.uniq.compact
+            entry
+          end
+          @known_urls = @known_urls.uniq.compact
+
+          urls = urls_from_credentials + @known_urls.map { |entry| entry[:url] }
+          urls += [central_repo_url] unless @known_urls.any? { |entry| entry[:id] == super_pom[:id] }
+          urls.uniq
         end
 
         private
@@ -69,11 +77,11 @@ def gather_repository_urls(pom:, exclude_inherited: false)
             select { |entry| entry[:url].start_with?("http") }.
             map { |entry| { url: evaluated_value(entry[:url], pom).gsub(%r{/$}, ""), id: entry[:id] } }
 
-          return repos_in_pom + [super_pom] if exclude_inherited
+          return repos_in_pom if exclude_inherited
 
           urls_in_pom = repos_in_pom.map { |repo| repo[:url] }
           unless (parent = parent_pom(pom, urls_in_pom))
-            return repos_in_pom + [super_pom]
+            return repos_in_pom
           end
 
           repos_in_pom + gather_repository_urls(pom: parent)

maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb

@@ -65,6 +65,45 @@
         )
       end
 
+      it "remembers what it's seen" do
+        custom_pom = Dependabot::DependencyFile.new(
+          name: "pom.xml",
+          content: fixture("poms", "custom_repositories_pom.xml")
+        )
+        expect(finder.repository_urls(pom: custom_pom)).to eq(
+          %w(
+            http://scala-tools.org/repo-releases
+            http://repository.jboss.org/maven2
+            http://plugin-repository.jboss.org/maven2
+            https://repo.maven.apache.org/maven2
+          )
+        )
+        base_pom = Dependabot::DependencyFile.new(
+          name: "pom.xml",
+          content: fixture("poms", "basic_pom.xml")
+        )
+        expect(finder.repository_urls(pom: base_pom)).to eq(
+          %w(
+            http://scala-tools.org/repo-releases
+            http://repository.jboss.org/maven2
+            http://plugin-repository.jboss.org/maven2
+            https://repo.maven.apache.org/maven2
+          )
+        )
+        overwrite_central_pom = Dependabot::DependencyFile.new(
+          name: "pom.xml",
+          content: fixture("poms", "overwrite_central_pom.xml")
+        )
+        expect(finder.repository_urls(pom: overwrite_central_pom)).to eq(
+          %w(
+            http://scala-tools.org/repo-releases
+            http://repository.jboss.org/maven2
+            http://plugin-repository.jboss.org/maven2
+            https://example.com
+          )
+        )
+      end
+
       context "that overwrites central" do
         let(:base_pom_fixture_name) { "overwrite_central_pom.xml" }