Maven dependency not being update from a private repo

[andrei-bamboi]

I am using dependabot in Gitlab CICD and configured accordingly with example implementation from dependabot-script. The workflow is for a JAVA Maven project.

I have added the following in generic-update-script.rb regarding acces to Nexus repo.
'''
credentials << {
"type" => "maven_repository",
"url" => "https://private_repo/nexus3",
"username" => "nexus_username",
"password" => "#########"
'''

The POM has the following :

• distributionManagement - with repository definition for releases and snapshot
• dependencies - with 2 definiton - 1 internal and 1 external.
• repositories - - with 1 repository definition for private nexus.

In current configuration it makes the updates only for public dependencies but not for private.

Does currently dependabot support scanning other repos rathen then Maven central ?

[lseppala]

It looks like this issue has been open for a while and we’ve made a bunch of improvements to Dependabot since, including better support for private registries. Is this still happening, or has this problem been resolved and can we close this issue?

[andrei-bamboi]

hey. cant test at the moment as i dont work anymore on that project but i will simulate similar configuration.

[andrcuns]

I have encountered an issue with private maven repo, where it wouldn't work due to how the repository behaves and how dependabot-core tries to resolve new versions.

For example repo https://api.mapbox.com/downloads/v2/releases/maven would not work because the way new versions are fetched is first by trying to retrieve metadata.xml via what I suspect is a mavencentral like url, com/mapbox/search/mapbox-search-android-ui/maven-metadata.xml for example. Mapbox will simply return 404 error for such a request which will fail the update process.

I'm not sure if nexus has the same issue, but I would imagine some other repositories might.

[horiaconstantin-cpi]

@lseppala I'm encountering this issue also. I've got a repo in nexus that doesn't have maven-metadata.xml
This is what I'm seeing in the dependabot logs:

updater | INFO <job_393405048> Checking if internal.group.id:internal.artifact.id 4.2-SNAPSHOT needs updating
proxy | 2022/06/16 14:01:11 [092] GET https://repo.maven.apache.org:443/maven2/internalgroupid/internalartifactid/maven-metadata.xml
  proxy | 2022/06/16 14:01:11 [092] 404 https://repo.maven.apache.org:443/maven2/internalgroupid/internalartifactid/maven-metadata.xml
updater | INFO <job_393405048> Latest version is 
updater | INFO <job_393405048> Requirements to unlock update_not_possible
updater | INFO <job_393405048> Requirements update strategy 
updater | INFO <job_393405048> No update possible for internal.group.id:internal.artifact.id 4.2-SNAPSHOT

Any suggestions for a fix or workaround?

[gianielsevier]

@lseppala I'm having a similar issue.
I have setup the dependabot.yml on my github repo. The dependabot has registries pointing to our internal maven repository and from the updates section it has the registries pointing to the registry declared.
Looks like the configuration is correct, however the dependabot keeps going to maven central instead of my private maven repo.

This is a snippet of the dependabot.yml:

version: 2
registries:
  my-artifactory:
    type: maven-repository
    url: https://my.internal.repo
    username: MY_USER
    password: ${{secrets.MY_SECRET}}
updates:
  - package-ecosystem: "maven"
    directory: "/"
    registries:
      - my-artifactory
    schedule:
      interval: "daily"

This is the dependabot log:

updater | INFO <job_437815072> Starting job processing
updater | INFO <job_437815072> Starting update job for organization/app-repository
updater | INFO <job_437815072> Checking if my.internal.groupid:internal-artifact 1.0.0 needs updating
  proxy | 2022/08/10 16:36:04 [012] GET https://my.internal.repo:443/artifactory/internal-releases-virtual/my/internal/groupid/internal-artifact/1.0.0/internal-artifact.pom
  proxy | 2022/08/10 16:36:04 [012] * authenticating maven repository request (host: my.internal.repo)
  proxy | 2022/08/10 16:36:24 [014] GET https://repo.maven.apache.org:443/maven2/my/internal/groupid/internal-artifact/1.0.0/internal-artifact.pom
  proxy | 2022/08/10 16:36:24 [014] 404 https://repo.maven.apache.org:443/maven2/my/internal/groupid/internal-artifact/1.0.0/internal-artifact.pom
  proxy | 2022/08/10 16:36:24 [016] GET https://repo.maven.apache.org:443/maven2/my/internal/groupid/internal-artifact/1.0.0/maven-metadata.xml
  proxy | 2022/08/10 16:36:24 [016] 404 https://repo.maven.apache.org:443/maven2/my/internal/groupid/internal-artifact/1.0.0/maven-metadata.xml
updater | INFO <job_437815072> Latest version is 
updater | INFO <job_437815072> Requirements to unlock update_not_possible
updater | INFO <job_437815072> Requirements update strategy 
updater | INFO <job_437815072> No update possible for my.internal.groupid:internal-artifact 1.0.0

Is there something I'm missing?

[jakecoffman]

I've improved private registry support with #5924, #5908, #5907, and #5884.

@gianielsevier has a specific issue open for that case

I'm going to close this out, feel free to open a new issue with details if you're still having problems.

Thanks for you patience!