feat(java): use remote repositories from settings.xml for pom.xml files

[DmitriyLewen]

Description

We currently get repositories from pom.xml files + maven central:

trivy/pkg/dependency/parser/java/pom/parse.go

Lines 339 to 342 in 57e24aa

	// Update remoteRepositories
	pomReleaseRemoteRepos, pomSnapshotRemoteRepos := pom.repositories(p.servers)
	p.releaseRemoteRepos = lo.Uniq(append(pomReleaseRemoteRepos, p.releaseRemoteRepos...))
	p.snapshotRemoteRepos = lo.Uniq(append(pomSnapshotRemoteRepos, p.snapshotRemoteRepos...))

But settings.xml file may also contain remote repositories.
We need to add logic to get repositories from this file.
See more details in #7175

Discussed in #7175

[arkajnag23]

I am not sure, if this query of mine is related or not; but I am finding myself stuck in a situation where I need some support from Trivy to scan desired repository.
I am running multi-module maven project in Jenkins as CICD;
I have two sequential process : mvn deploy and in next stage, Trivy CLI command.
What I am noticing for searching dependencies instead of pointing to local repository, Trivy is trying to fetch from Central Maven repository.

2024-12-02T10:17:58+01:00	DEBUG	[pom] Resolving...	group_id="com.hub" artifact_id="ehub-analytics-gar" version="2.3.12"
2024-12-02T10:17:58+01:00	DEBUG	[pom] Failed to fetch	url="https://repo.maven.apache.org/maven2/com/lawson/eventhub/ehub-analytics-gar/2.3.12/ehub-analytics-gar-2.3.12.pom" statusCode=404

I am running a Jenkins pipeline script with withMaven block providing the settings id as parameter, but that settings is ignored by Trivy.

[DmitriyLewen]

Hello @arkajnag23
hmm... Trivy checks the local repository first.
Do you use the default repository (~/.m2/repository)?

[arkajnag23]

@DmitriyLewen our pipeline creates a temp settings file and a temp repository when running the builds as its ec2 instances, hence looking for an option of providing maven settings is

[DmitriyLewen]

our pipeline creates a temp settings file

This may be the reason why Trivy doesn't detect the settings file.
Trivy checks $HOME/.m2/settings.xml, /usr/share/maven/conf/settings.xml and $MAVEN_HOME/conf/settings.xml files.

Without information about local repository Trivy gets pom's from maven central.

[arkajnag23]

@DmitriyLewen is there any way where we can set the settings file path??

[DmitriyLewen]

unfortunately at the moment Trivy doesn't have such functionality.
Create a new discussion about it. If this functionality is in demand among users - we will think about how to add it

like the solution - you can change $MAVEN_HOME at the time of Trivy launch

[malmor]

Hello @DmitriyLewen, as discussed in #7175 (reply in thread), I did some experiments regarding the different priorities when maven downloads packages.

Here are the results:

Test cases and results

Test case	Resolution order
Default	From central (https://repo.maven.apache.org/maven2)
---	---
Single repo in pom	From custom repo, then central
Multiple repos in pom	From custom repos in the order of definition (first to last), then central
---	---
Single repo in settings	From custom repo, then central
Multiple repos in settings	From custom repos in reversed order profile definition (last to first), then central
Single private repo in settings	From custom repo with auth, then central
---	---
Single repo in pom, single repo in settings	From custom repo in settings, then custom repo in pom, then central
Multiple repos in pom, multiple repos in settings	From custom repos in settings in reversed order, then custom repos in pom in order of definition, then central
---	---
Mirror for '*'	From mirror
Mirror for '*', single repo in pom	From mirror
Mirror for '*', single repo in settings	From mirror
---	---
Mirror for 'central'	From mirror
Mirror for 'central', single repo in pom	From custom repo, then mirror
Mirror for 'central', single repo in settings	From custom repo, then mirror

Hope this helps!

Kind regards, Malte

[DmitriyLewen]

@malmor Thanks!
I'll get to it when I have time.