Skip Maven snapshots repositories from versions checking

- snapshots repositories will be used for parent pom resolving
- for available versions checking snapshots repositories will be excluded

fix #5947

maven/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -91,7 +91,8 @@ def parent_pom(pom)
         def parent_repository_urls(pom)
           repositories_finder.repository_urls(
             pom: pom,
-            exclude_inherited: true
+            exclude_inherited: true,
+            exclude_snapshots: false
           )
         end
 

maven/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -43,7 +43,7 @@ def central_repo_url
         end
 
         # Collect all repository URLs from this POM and its parents
-        def repository_urls(pom:, exclude_inherited: false)
+        def repository_urls(pom:, exclude_inherited: false, exclude_snapshots: true)
           entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited)
           ids = Set.new
           @known_urls += entries.map do |entry|
@@ -54,7 +54,8 @@ def repository_urls(pom:, exclude_inherited: false)
           end
           @known_urls = @known_urls.uniq.compact
 
-          urls = urls_from_credentials + @known_urls.map { |entry| entry[:url] }
+          urls = urls_from_credentials + @known_urls.reject { |entry| exclude_snapshots && entry[:snapshots] }
+                                                    .map { |entry| entry[:url] }
           urls += [central_repo_url] unless @known_urls.any? { |entry| entry[:id] == super_pom[:id] }
           urls.uniq
         end
@@ -69,14 +70,35 @@ def super_pom
           { url: central_repo_url, id: "central" }
         end
 
+        def serialize_mvn_repo(entry)
+          {
+            url: entry.at_css("url").content.strip,
+            id: entry.at_css("id").content.strip,
+            snapshots: entry.at_css("snapshots > enabled")&.content&.strip,
+            releases: entry.at_css("releases > enabled")&.content&.strip
+          }
+        end
+
+        def snapshot_repo(entry)
+          entry[:snapshots] == "true" && (entry[:releases].nil? || entry[:releases] == "false")
+        end
+
+        def serialize_urls(entry, pom)
+          {
+            url: evaluated_value(entry[:url], pom).gsub(%r{/$}, ""),
+            id: entry[:id],
+            snapshots: snapshot_repo(entry)
+          }
+        end
+
         def gather_repository_urls(pom:, exclude_inherited: false)
           repos_in_pom =
             Nokogiri::XML(pom.content)
                     .css(REPOSITORY_SELECTOR)
-                    .map { |node| { url: node.at_css("url").content.strip, id: node.at_css("id").content.strip } }
+                    .map { |node| serialize_mvn_repo(node) }
                     .reject { |entry| contains_property?(entry[:url]) && !evaluate_properties? }
                     .select { |entry| entry[:url].start_with?("http") }
-                    .map { |entry| { url: evaluated_value(entry[:url], pom).gsub(%r{/$}, ""), id: entry[:id] } }
+                    .map { |entry| serialize_urls(entry, pom) }
 
           return repos_in_pom if exclude_inherited
 

maven/spec/dependabot/maven/file_parser/repositories_finder_spec.rb

@@ -105,6 +105,25 @@
         )
       end
 
+      it "snapshots repositories are returned" do
+        custom_pom = Dependabot::DependencyFile.new(
+          name: "pom.xml",
+          content: fixture("poms", "custom_repositories_pom.xml")
+        )
+        expect(finder.repository_urls(pom: custom_pom, exclude_snapshots: false)).to eq(
+          %w(
+            http://scala-tools.org/repo-releases
+            http://repository.jboss.org/maven2
+            https://oss.sonatype.org/content/repositories/snapshots-only
+            https://oss.sonatype.org/content/repositories/snapshots-with-releases
+            http://plugin-repository.jboss.org/maven2
+            https://oss.sonatype.org/content/repositories/plugin-snapshots-only
+            https://oss.sonatype.org/content/repositories/plugin-snapshots-with-releases
+            https://repo.maven.apache.org/maven2
+          )
+        )
+      end
+
       context "that overwrites central" do
         let(:base_pom_fixture_name) { "overwrite_central_pom.xml" }
 

maven/spec/fixtures/poms/custom_repositories_pom.xml

@@ -91,6 +91,23 @@ url>http://github.com/davidB/${project.artifactId}</url
         <enabled>false</enabled>
       </snapshots>
     </repository>
+    <repository>
+      <id>snapshot-only-repository</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots-only</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </repository>
+    <repository>
+      <id>snapshot-with-releases-repository</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots-with-releases</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </repository>
   </repositories>
   <pluginRepositories>
     <pluginRepository>
@@ -105,6 +122,23 @@ url>http://github.com/davidB/${project.artifactId}</url
         <enabled>false</enabled>
       </snapshots>
     </pluginRepository>
+    <pluginRepository>
+      <id>plugin-snapshot-only-repository</id>
+      <url>https://oss.sonatype.org/content/repositories/plugin-snapshots-only</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </pluginRepository>
+    <pluginRepository>
+      <id>plugin-snapshot-with-releases-repository</id>
+      <url>https://oss.sonatype.org/content/repositories/plugin-snapshots-with-releases</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </pluginRepository>
   </pluginRepositories>
   <developers>
     <developer>