Maven version search should search all repositories, not stop after the first maven-metadata.xml

[daniel-beck]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Maven

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Presumably since #5872, Dependabot incorrectly stops looking for repositories once a maven-metadata.xml is found.

I asked @olamy (a Maven committer) about this, and his response in #5872 (comment) explains that the submitter of #5872 seems to have misunderstood the Maven documentation.

As a result, because the Jenkins project deployed a fork of Mina sshd-core to our own Maven repository a decade ago, and referencing that repository in pom.xml, Dependabot is unable to find more recent releases in repo1 as described in jenkins-infra/helpdesk#3919 (comment).

Native package manager behavior

Using the minimal example below:

$ mvn org.codehaus.mojo:versions-maven-plugin:2.16.2:display-dependency-updates
[INFO] Scanning for projects...
[INFO] 
[INFO] -------------------< org.example:dependabot-example >-------------------
[INFO] Building dependabot-example 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- versions-maven-plugin:2.16.2:display-dependency-updates (default-cli) @ dependabot-example ---
[INFO] The following dependencies in Dependencies have newer versions:
[INFO]   org.apache.sshd:sshd-core ........................... 2.11.0 -> 2.12.1
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.850 s
[INFO] Finished at: 2024-03-28T16:03:39+01:00
[INFO] ------------------------------------------------------------------------

Images of the diff or a link to the PR, issue, or logs

Using the minimal example below (at https://github.com/daniel-beck/dependabot-core-issue-9383):

./go/bin/dependabot update maven daniel-beck/dependabot-example
    cli | 2024/03/28 15:05:20 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:f8c0686dbbe734670a826b437cbf548934f5cf832f49c50fe407c612bb256b47
    cli | 2024/03/28 15:05:20 using image ghcr.io/dependabot/dependabot-updater-maven at sha256:64b1c014f3ea6330d4538e55fdb6502015511a77d4817b183948a0a86244f7ba
updater | Updating certificates in /etc/ssl/certs...
  proxy | 2024/03/28 15:05:20 proxy starting, commit: cf8623577dad71c128f219df2b27df6de35b909d
  proxy | 2024/03/28 15:05:20 GitHubAPIHandler has no app access tokens
  proxy | 2024/03/28 15:05:20 Listening (:1080)
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2024/03/28 15:05:34 INFO Starting job processing
updater | 2024/03/28 15:05:34 INFO Job definition: {"job":{"package-manager":"maven","allowed-updates":[{"update-type":"all"}],"debug":false,"dependency-groups":[],"dependencies":null,"dependency-group-to-refresh":null,"existing-pull-requests":[],"existing-group-pull-requests":[],"experiments":null,"ignore-conditions":[],"lockfile-only":false,"requirements-update-strategy":null,"security-advisories":[],"security-updates-only":false,"source":{"provider":"github","repo":"daniel-beck/dependabot-example","directory":"/","hostname":null,"api-endpoint":null},"update-subdependencies":false,"updating-a-pull-request":false,"vendor-dependencies":false,"reject-external-code":false,"repo-private":false,"commit-message-options":null,"credentials-metadata":[],"max-updater-run-time":0}}
  proxy | 2024/03/28 15:05:35 [002] GET https://github.com:443/daniel-beck/dependabot-example/info/refs?service=git-upload-pack
  proxy | 2024/03/28 15:05:35 [002] 200 https://github.com:443/daniel-beck/dependabot-example/info/refs?service=git-upload-pack
  proxy | 2024/03/28 15:05:35 [004] POST https://github.com:443/daniel-beck/dependabot-example/git-upload-pack
  proxy | 2024/03/28 15:05:35 [004] 200 https://github.com:443/daniel-beck/dependabot-example/git-upload-pack
  proxy | 2024/03/28 15:05:35 [006] POST https://github.com:443/daniel-beck/dependabot-example/git-upload-pack
  proxy | 2024/03/28 15:05:35 [006] 200 https://github.com:443/daniel-beck/dependabot-example/git-upload-pack
updater | 2024/03/28 15:05:37 INFO Finished job processing
updater | 2024/03/28 15:05:38 INFO Starting job processing
  proxy | 2024/03/28 15:05:38 [007] POST http://host.docker.internal:50733/update_jobs/cli/update_dependency_list
{"data":{"dependencies":[{"name":"org.apache.sshd:sshd-core","requirements":[{"file":"pom.xml","groups":[],"metadata":{"packaging_type":"jar"},"requirement":"2.11.0","source":null}],"version":"2.11.0"}],"dependency_files":["/pom.xml"]},"type":"update_dependency_list"}
  proxy | 2024/03/28 15:05:38 [007] 200 http://host.docker.internal:50733/update_jobs/cli/update_dependency_list
  proxy | 2024/03/28 15:05:38 [008] POST http://host.docker.internal:50733/update_jobs/cli/increment_metric
{"data":{"metric":"updater.started","tags":{"operation":"update_all_versions"}},"type":"increment_metric"}
  proxy | 2024/03/28 15:05:38 [008] 200 http://host.docker.internal:50733/update_jobs/cli/increment_metric
updater | 2024/03/28 15:05:38 INFO Starting update job for daniel-beck/dependabot-example
updater | 2024/03/28 15:05:38 INFO Checking all dependencies for version updates...
updater | 2024/03/28 15:05:38 INFO Checking if org.apache.sshd:sshd-core 2.11.0 needs updating
  proxy | 2024/03/28 15:05:39 [010] GET https://repo.jenkins-ci.org:443/releases/org/apache/sshd/sshd-core/maven-metadata.xml
  proxy | 2024/03/28 15:05:39 [010] 200 https://repo.jenkins-ci.org:443/releases/org/apache/sshd/sshd-core/maven-metadata.xml
  proxy | 2024/03/28 15:05:39 [012] HEAD https://repo.jenkins-ci.org:443/releases/org/apache/sshd/sshd-core/0.11.0-sshd-314-1/sshd-core-0.11.0-sshd-314-1.jar
  proxy | 2024/03/28 15:05:39 [012] 200 https://repo.jenkins-ci.org:443/releases/org/apache/sshd/sshd-core/0.11.0-sshd-314-1/sshd-core-0.11.0-sshd-314-1.jar
updater | 2024/03/28 15:05:40 INFO Latest version is 0.11.0-sshd-314-1
updater | 2024/03/28 15:05:40 INFO No update needed for org.apache.sshd:sshd-core 2.11.0
  proxy | 2024/03/28 15:05:40 [013] PATCH http://host.docker.internal:50733/update_jobs/cli/mark_as_processed
{"data":{"base-commit-sha":"09fdc063f3278721ac03bebe4e739551fa96ea40"},"type":"mark_as_processed"}
  proxy | 2024/03/28 15:05:40 [013] 200 http://host.docker.internal:50733/update_jobs/cli/mark_as_processed
updater | 2024/03/28 15:05:40 INFO Finished job processing
  proxy | 2024/03/28 15:05:40 Skipping sending metrics because api endpoint is empty
  proxy | 2024/03/28 15:05:40 0/5 calls cached (0%)

Smallest manifest that reproduces the issue

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>dependabot-example</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.apache.sshd</groupId>
            <artifactId>sshd-core</artifactId>
            <version>2.11.0</version>
        </dependency>
    </dependencies>

    <repositories>
        <repository>
            <id>repo.jenkins-ci.org</id>
            <url>https://repo.jenkins-ci.org/releases/</url>
        </repository>
    </repositories>

</project>