feat(java): add support remote repositories from settings.xml files

[DmitriyLewen]

Description

This PR enhances the Maven POM parser to properly handle repository definitions from Maven settings.xml files, implementing the correct repository resolution order according to Maven specifications. The changes introduce support for
profiles and repositories defined in both user-level and global settings files, with proper credential handling and repository prioritization.

Key changes include:

• Added repository parsing from Maven settings.xml profiles
• Implemented proper repository resolution order (settings → pom → default)
• Refactored repository handling with a new unified repository struct
• Added support for profile activation (activeByDefault and activeProfiles)
• Fixed repository ordering to match Maven's behavior (reverse order for settings)

Reasons for Change

1. Maven Compliance: Maven has a specific repository resolution order that wasn't being followed, causing dependency resolution issues when custom repositories were defined in settings.xml
2. Settings.xml Support: The parser previously only supported repositories defined directly in POM files, ignoring the common practice of defining organizational repositories in Maven settings
3. Profile Support: Maven profiles in settings.xml allow conditional repository activation, which is essential for enterprise environments with different deployment contexts
4. Repository Prioritization: Proper implementation of Maven's repository search order ensures dependencies are resolved from the correct sources, improving security and reliability

Nuances

• Repository Order: Settings repositories are processed in reverse order to match Maven's behavior, ensuring the correct precedence when multiple repositories contain the same artifact
• Credential Integration: Server credentials from settings.xml are properly mapped to repository URLs using server ID matching
• Profile Activation: Both activeByDefault and explicit activeProfiles are supported, with deduplication of repositories by ID to prevent conflicts
• Backward Compatibility: Changes maintain full backward compatibility with existing POM-only repository definitions while extending functionality
• Test Coverage: Comprehensive test suite added including repository order verification, credential handling, and profile activation scenarios

Related issues

• Close feat(java): use remote repositories from settings.xml for pom.xml files #7807

Related PRs

• feat(java): use remote repositories from settings.xml for pom.xml files #9159

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Hello @ricardo-kh,
I’ve finished updating my vision for these changes.
Thank you so much for your work — it really helped and made adding these changes much simpler for me.

It would be great if you have some time to check and test the updates.

[github-actions]

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/dependency/parser/java/pom
  Incompatible changes:
  - WithReleaseRemoteRepos: removed
  - WithSnapshotRemoteRepos: removed
  Compatible changes:
  - Profile: added
  - WithDefaultRepo: added
  - WithSettingsRepos: added

[Copilot]

Pull Request Overview

This PR implements support for Maven repository definitions from settings.xml files, following Maven's repository resolution order. The changes enable proper handling of profiles and repositories defined in user-level and global settings files, with credential integration and correct repository prioritization.

Key changes:

• Added repository parsing from Maven settings.xml profiles with support for activeByDefault and activeProfiles activation
• Implemented Maven-compliant repository resolution order (settings → pom → default) with reverse ordering for settings repositories
• Refactored repository handling to use a unified repository struct with type-safe handling of release/snapshot enablement

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/dependency/parser/java/pom/settings.xml (user)	Adds test profile with repository definitions and activation settings
pkg/dependency/parser/java/pom/settings.xml (env placeholders)	Adds test profile with environment variable placeholders for repository configuration
pkg/dependency/parser/java/pom/settings.xml (global)	Adds multiple test profiles with repository definitions including activeByDefault profile
pkg/dependency/parser/java/pom/example-api-1.7.30.pom	New test fixture POM for validating repository resolution from settings
pkg/dependency/parser/java/pom/settings_test.go	Adds comprehensive tests for settings parsing and effective repository resolution
pkg/dependency/parser/java/pom/settings.go	Implements effectiveRepositories method and profile/repository merging logic
pkg/dependency/parser/java/pom/repository.go	New file extracting repository resolution logic into unified structure
pkg/dependency/parser/java/pom/pom.go	Refactors repository handling to use new unified repository struct
pkg/dependency/parser/java/pom/parse_test.go	Adds test for multiple repository usage with settings repositories
pkg/dependency/parser/java/pom/parse.go	Updates Parser to use repositories struct and implement correct resolution order

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.