feat(java): add support remote repositories from settings.xml files (#9708)

Co-authored-by: Copilot <[email protected]>

Author: DmitriyLewen

pkg/dependency/parser/java/pom/parse.go

@@ -29,14 +29,10 @@ import (
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
 )
 
-const (
-	centralURL = "https://repo.maven.apache.org/maven2/"
-)
-
 type options struct {
-	offline             bool
-	releaseRemoteRepos  []string
-	snapshotRemoteRepos []string
+	offline       bool
+	defaultRepo   repository
+	settingsRepos []repository
 }
 
 type option func(*options)
@@ -47,55 +43,71 @@ func WithOffline(offline bool) option {
 	}
 }
 
-func WithReleaseRemoteRepos(repos []string) option {
+func WithDefaultRepo(repoURL string, releaseEnabled, snapshotEnabled bool) option {
 	return func(opts *options) {
-		opts.releaseRemoteRepos = repos
+		u, _ := url.Parse(repoURL)
+		opts.defaultRepo = repository{
+			url:             *u,
+			releaseEnabled:  releaseEnabled,
+			snapshotEnabled: snapshotEnabled,
+		}
 	}
 }
 
-func WithSnapshotRemoteRepos(repos []string) option {
+func WithSettingsRepos(repoURLs []string, releaseEnabled, snapshotEnabled bool) option {
 	return func(opts *options) {
-		opts.snapshotRemoteRepos = repos
+		opts.settingsRepos = lo.Map(repoURLs, func(repoURL string, _ int) repository {
+			u, _ := url.Parse(repoURL)
+			return repository{
+				url:             *u,
+				releaseEnabled:  releaseEnabled,
+				snapshotEnabled: snapshotEnabled,
+			}
+		})
 	}
 }
 
 type Parser struct {
-	logger              *log.Logger
-	rootPath            string
-	cache               pomCache
-	localRepository     string
-	releaseRemoteRepos  []string
-	snapshotRemoteRepos []string
-	offline             bool
-	servers             []Server
+	logger          *log.Logger
+	rootPath        string
+	cache           pomCache
+	localRepository string
+	remoteRepos     repositories
+	offline         bool
+	servers         []Server
 }
 
 func NewParser(filePath string, opts ...option) *Parser {
 	o := &options{
-		offline:            false,
-		releaseRemoteRepos: []string{centralURL}, // Maven doesn't use central repository for snapshot dependencies
-	}
-
-	for _, opt := range opts {
-		opt(o)
+		offline:     false,
+		defaultRepo: mavenCentralRepo,
 	}
 
 	s := readSettings()
+	o.settingsRepos = s.effectiveRepositories()
 	localRepository := s.LocalRepository
 	if localRepository == "" {
 		homeDir, _ := os.UserHomeDir()
 		localRepository = filepath.Join(homeDir, ".m2", "repository")
 	}
 
+	for _, opt := range opts {
+		opt(o)
+	}
+
+	remoteRepos := repositories{
+		defaultRepo: o.defaultRepo,
+		settings:    o.settingsRepos,
+	}
+
 	return &Parser{
-		logger:              log.WithPrefix("pom"),
-		rootPath:            filepath.Clean(filePath),
-		cache:               newPOMCache(),
-		localRepository:     localRepository,
-		releaseRemoteRepos:  o.releaseRemoteRepos,
-		snapshotRemoteRepos: o.snapshotRemoteRepos,
-		offline:             o.offline,
-		servers:             s.Servers,
+		logger:          log.WithPrefix("pom"),
+		rootPath:        filepath.Clean(filePath),
+		cache:           newPOMCache(),
+		localRepository: localRepository,
+		remoteRepos:     remoteRepos,
+		offline:         o.offline,
+		servers:         s.Servers,
 	}
 }
 
@@ -362,9 +374,10 @@ func (p *Parser) analyze(ctx context.Context, pom *pom, opts analysisOptions) (a
 		opts.exclusions = set.New[string]()
 	}
 	// Update remoteRepositories
-	pomReleaseRemoteRepos, pomSnapshotRemoteRepos := pom.repositories(p.servers)
-	p.releaseRemoteRepos = lo.Uniq(append(pomReleaseRemoteRepos, p.releaseRemoteRepos...))
-	p.snapshotRemoteRepos = lo.Uniq(append(pomSnapshotRemoteRepos, p.snapshotRemoteRepos...))
+	pomRepos := pom.repositories(p.servers)
+	p.remoteRepos.pom = lo.UniqBy(append(pomRepos, p.remoteRepos.pom...), func(r repository) url.URL {
+		return r.url
+	})
 
 	// Resolve parent POM
 	if err := p.resolveParent(ctx, pom); err != nil {
@@ -710,17 +723,19 @@ func (p *Parser) fetchPOMFromRemoteRepositories(ctx context.Context, paths []str
 		return nil, xerrors.New("offline mode")
 	}
 
-	remoteRepos := p.releaseRemoteRepos
-	// Maven uses only snapshot repos for snapshot artifacts
-	if snapshot {
-		remoteRepos = p.snapshotRemoteRepos
-	}
+	// Try all remoteRepositories by following order:
+	// 1. remoteRepositories from settings.xml
+	// 2. remoteRepositories from pom.xml
+	// 3. default remoteRepository (Maven Central for Release repository)
+	for _, repo := range slices.Concat(p.remoteRepos.settings, p.remoteRepos.pom, []repository{p.remoteRepos.defaultRepo}) {
+		// Skip Release only repositories for snapshot artifacts and vice versa
+		if snapshot && !repo.snapshotEnabled || !snapshot && !repo.releaseEnabled {
+			continue
+		}
 
-	// try all remoteRepositories
-	for _, repo := range remoteRepos {
 		repoPaths := slices.Clone(paths) // Clone slice to avoid overwriting last element of `paths`
 		if snapshot {
-			pomFileName, err := p.fetchPomFileNameFromMavenMetadata(ctx, repo, repoPaths)
+			pomFileName, err := p.fetchPomFileNameFromMavenMetadata(ctx, repo.url, repoPaths)
 			if err != nil {
 				return nil, xerrors.Errorf("fetch maven-metadata.xml error: %w", err)
 			}
@@ -729,7 +744,7 @@ func (p *Parser) fetchPOMFromRemoteRepositories(ctx context.Context, paths []str
 				repoPaths[len(repoPaths)-1] = pomFileName
 			}
 		}
-		fetched, err := p.fetchPOMFromRemoteRepository(ctx, repo, repoPaths)
+		fetched, err := p.fetchPOMFromRemoteRepository(ctx, repo.url, repoPaths)
 		if err != nil {
 			return nil, xerrors.Errorf("fetch repository error: %w", err)
 		} else if fetched == nil {
@@ -740,12 +755,7 @@ func (p *Parser) fetchPOMFromRemoteRepositories(ctx context.Context, paths []str
 	return nil, xerrors.Errorf("the POM was not found in remote remoteRepositories")
 }
 
-func (p *Parser) remoteRepoRequest(ctx context.Context, repo string, paths []string) (*http.Request, error) {
-	repoURL, err := url.Parse(repo)
-	if err != nil {
-		return nil, xerrors.Errorf("unable to parse URL: %w", err)
-	}
-
+func (p *Parser) remoteRepoRequest(ctx context.Context, repoURL url.URL, paths []string) (*http.Request, error) {
 	paths = append([]string{repoURL.Path}, paths...)
 	repoURL.Path = path.Join(paths...)
 
@@ -762,14 +772,14 @@ func (p *Parser) remoteRepoRequest(ctx context.Context, repo string, paths []str
 }
 
 // fetchPomFileNameFromMavenMetadata fetches `maven-metadata.xml` file to detect file name of pom file.
-func (p *Parser) fetchPomFileNameFromMavenMetadata(ctx context.Context, repo string, paths []string) (string, error) {
+func (p *Parser) fetchPomFileNameFromMavenMetadata(ctx context.Context, repoURL url.URL, paths []string) (string, error) {
 	// Overwrite pom file name to `maven-metadata.xml`
 	mavenMetadataPaths := slices.Clone(paths[:len(paths)-1]) // Clone slice to avoid shadow overwriting last element of `paths`
 	mavenMetadataPaths = append(mavenMetadataPaths, "maven-metadata.xml")
 
-	req, err := p.remoteRepoRequest(ctx, repo, mavenMetadataPaths)
+	req, err := p.remoteRepoRequest(ctx, repoURL, mavenMetadataPaths)
 	if err != nil {
-		p.logger.Debug("Unable to create request", log.String("repo", repo), log.Err(err))
+		p.logger.Debug("Unable to create request", log.String("repo", repoURL.Redacted()), log.Err(err))
 		return "", nil
 	}
 
@@ -779,14 +789,16 @@ func (p *Parser) fetchPomFileNameFromMavenMetadata(ctx context.Context, repo str
 		if shouldReturnError(err) {
 			return "", err
 		}
-		p.logger.Debug("Failed to fetch", log.String("url", req.URL.String()), log.Err(err))
-		return "", nil
-	} else if resp.StatusCode != http.StatusOK {
-		p.logger.Debug("Failed to fetch", log.String("url", req.URL.String()), log.Int("statusCode", resp.StatusCode))
+		p.logger.Debug("Failed to fetch", log.String("url", req.URL.Redacted()), log.Err(err))
 		return "", nil
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode != http.StatusOK {
+		p.logger.Debug("Failed to fetch", log.String("url", req.URL.Redacted()), log.Int("statusCode", resp.StatusCode))
+		return "", nil
+	}
+
 	mavenMetadata, err := parseMavenMetadata(resp.Body)
 	if err != nil {
 		return "", xerrors.Errorf("failed to parse maven-metadata.xml file: %w", err)
@@ -803,10 +815,10 @@ func (p *Parser) fetchPomFileNameFromMavenMetadata(ctx context.Context, repo str
 	return pomFileName, nil
 }
 
-func (p *Parser) fetchPOMFromRemoteRepository(ctx context.Context, repo string, paths []string) (*pom, error) {
-	req, err := p.remoteRepoRequest(ctx, repo, paths)
+func (p *Parser) fetchPOMFromRemoteRepository(ctx context.Context, repoURL url.URL, paths []string) (*pom, error) {
+	req, err := p.remoteRepoRequest(ctx, repoURL, paths)
 	if err != nil {
-		p.logger.Debug("Unable to create request", log.String("repo", repo), log.Err(err))
+		p.logger.Debug("Unable to create request", log.String("repo", repoURL.Redacted()), log.Err(err))
 		return nil, nil
 	}
 
@@ -816,14 +828,16 @@ func (p *Parser) fetchPOMFromRemoteRepository(ctx context.Context, repo string,
 		if shouldReturnError(err) {
 			return nil, err
 		}
-		p.logger.Debug("Failed to fetch", log.String("url", req.URL.String()), log.Err(err))
-		return nil, nil
-	} else if resp.StatusCode != http.StatusOK {
-		p.logger.Debug("Failed to fetch", log.String("url", req.URL.String()), log.Int("statusCode", resp.StatusCode))
+		p.logger.Debug("Failed to fetch", log.String("url", req.URL.Redacted()), log.Err(err))
 		return nil, nil
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode != http.StatusOK {
+		p.logger.Debug("Failed to fetch", log.String("url", req.URL.Redacted()), log.Int("statusCode", resp.StatusCode))
+		return nil, nil
+	}
+
 	content, err := parsePom(resp.Body, false)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to parse the remote POM: %w", err)

pkg/dependency/parser/java/pom/parse_test.go

@@ -110,13 +110,14 @@ var (
 
 func TestPom_Parse(t *testing.T) {
 	tests := []struct {
-		name      string
-		inputFile string
-		local     bool
-		offline   bool
-		want      []ftypes.Package
-		wantDeps  []ftypes.Dependency
-		wantErr   string
+		name                      string
+		inputFile                 string
+		local                     bool
+		enableRepoForSettingsRepo bool // use another repo for repository from settings.xml
+		offline                   bool
+		want                      []ftypes.Package
+		wantDeps                  []ftypes.Dependency
+		wantErr                   string
 	}{
 		{
 			name:      "local repository",
@@ -326,6 +327,55 @@ func TestPom_Parse(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                      "multiple repositories are used",
+			inputFile:                 filepath.Join("testdata", "happy", "pom.xml"),
+			local:                     false,
+			enableRepoForSettingsRepo: true,
+			want: []ftypes.Package{
+				{
+					ID:           "com.example:happy:1.0.0",
+					Name:         "com.example:happy",
+					Version:      "1.0.0",
+					Licenses:     []string{"BSD-3-Clause"},
+					Relationship: ftypes.RelationshipRoot,
+				},
+				{
+					ID:           "org.example:example-api:1.7.30",
+					Name:         "org.example:example-api",
+					Version:      "1.7.30",
+					Licenses:     []string{"Custom License from custom repo"},
+					Relationship: ftypes.RelationshipDirect,
+					Locations: ftypes.Locations{
+						{
+							StartLine: 32,
+							EndLine:   36,
+						},
+					},
+				},
+				{
+					ID:           "org.example:example-runtime:1.0.0",
+					Name:         "org.example:example-runtime",
+					Version:      "1.0.0",
+					Relationship: ftypes.RelationshipDirect,
+					Locations: ftypes.Locations{
+						{
+							StartLine: 37,
+							EndLine:   42,
+						},
+					},
+				},
+			},
+			wantDeps: []ftypes.Dependency{
+				{
+					ID: "com.example:happy:1.0.0",
+					DependsOn: []string{
+						"org.example:example-api:1.7.30",
+						"org.example:example-runtime:1.0.0",
+					},
+				},
+			},
+		},
 		{
 			name:      "inherit parent properties",
 			inputFile: filepath.Join("testdata", "parent-properties", "child", "pom.xml"),
@@ -2206,18 +2256,27 @@ func TestPom_Parse(t *testing.T) {
 			require.NoError(t, err)
 			defer f.Close()
 
-			var remoteRepos []string
+			var defaultRepo string
+			var settingsRepos []string
 			if tt.local {
 				// for local repository
 				t.Setenv("MAVEN_HOME", "testdata/settings/global")
 			} else {
 				// for remote repository
 				h := http.FileServer(http.Dir(filepath.Join("testdata", "repository")))
 				ts := httptest.NewServer(h)
-				remoteRepos = []string{ts.URL}
+				defaultRepo = ts.URL
+
+				// Enable custom repository to be sure in repository order checking
+				if tt.enableRepoForSettingsRepo {
+					ch := http.FileServer(http.Dir(filepath.Join("testdata", "repository-for-settings-repo")))
+					cts := httptest.NewServer(ch)
+					settingsRepos = []string{cts.URL}
+				}
 			}
 
-			p := pom.NewParser(tt.inputFile, pom.WithReleaseRemoteRepos(remoteRepos), pom.WithSnapshotRemoteRepos(remoteRepos), pom.WithOffline(tt.offline))
+			p := pom.NewParser(tt.inputFile, pom.WithDefaultRepo(defaultRepo, true, true),
+				pom.WithSettingsRepos(settingsRepos, true, false), pom.WithOffline(tt.offline))
 
 			gotPkgs, gotDeps, err := p.Parse(t.Context(), f)
 			if tt.wantErr != "" {