Dependabot couldn't find a pom.xml

[tociepka-clgx]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

maven

Package manager version

3.6.3

Language version

Java 11

Manifest location and content before the Dependabot update

https://github.com/corelogic-private/tax_us-owf-one_workflow/blob/master/pom.xml

dependabot.yml content

https://github.com/corelogic-private/tax_us-owf-one_workflow/blob/master/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

I expected dependabot to make a pull requests to update vulnerable dependencies, but instead I'm getting 'couldn't find a pom.xml" error.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

logs:

proxy | 2024/07/16 07:29:40 proxy starting, commit: 55780eab5bb13ade7d1efacb154016772a202172
  proxy | 2024/07/16 07:29:40 Listening (:1080)
updater | 2024-07-16T07:29:41.305297785 [856399951:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2024-07-16T07:29:43Z" level=info msg="guest starting" commit=e9caa1c68212314d445ef091e3048abbb0421056
updater | time="2024-07-16T07:29:43Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=856399951 updater_timeout=45m0s updater_version=0d13810974d0aeba548fa3b0dc1bdc2ca84fa48a-maven
updater | 2024/07/16 07:29:47 INFO <job_856399951> Starting job processing
updater | 2024/07/16 07:29:47 INFO <job_856399951> Job definition: {"job":{"allowed-updates":[{"dependency-type":"direct","update-type":"all"}],"commit-message-options":{"include-scope":null,"prefix":"Dependabot","prefix-development":null},"credentials-metadata":[{"host":"github.com","type":"git_source"}],"debug":null,"dependencies":null,"dependency-group-to-refresh":null,"dependency-groups":[{"name":"spring-dependencies","rules":{"patterns":["org.springframework*"],"update-types":["minor","patch"]}},{"name":"cucumber-dependencies","rules":{"patterns":["io.cucumber*"]}}],"existing-group-pull-requests":[],"existing-pull-requests":[],"experiments":{"dependency-change-validation":true,"globs":true,"proxy-cached":true,"record-ecosystem-versions":true,"record-update-job-unknown-error":true},"ignore-conditions":[{"dependency-name":"org.codehaus.mojo:build-helper-maven-plugin","source":".github/dependabot.yml","update-types":null,"updated-at":"2024-07-16T07:29:39.000Z","version-requirement":"[3.5,)"},{"dependency-name":"org.codehaus.mojo:flatten-maven-plugin","source":".github/dependabot.yml","update-types":null,"updated-at":"2024-07-16T07:29:39.000Z","version-requirement":"[1.6,)"}],"lockfile-only":false,"max-updater-run-time":2700,"package-manager":"maven","proxy-log-response-body-on-auth-failure":true,"reject-external-code":false,"repo-private":true,"requirements-update-strategy":null,"security-advisories":[],"security-updates-only":false,"source":{"api-endpoint":"https://api.github.com/","branch":null,"directory":"/.","hostname":"github.com","provider":"github","repo":"corelogic-private/tax_us-owf-one_workflow"},"update-subdependencies":false,"updating-a-pull-request":false,"vendor-dependencies":false}}
updater | 
  proxy | 2024/07/16 07:29:47 [002] GET https://github.com:443/corelogic-private/tax_us-owf-one_workflow/info/refs?service=git-upload-pack
  proxy | 2024/07/16 07:29:47 [002] * authenticating git server request (host: github.com)
  proxy | 2024/07/16 07:29:47 [002] 200 https://github.com:443/corelogic-private/tax_us-owf-one_workflow/info/refs?service=git-upload-pack
  proxy | 2024/07/16 07:29:47 [004] POST https://github.com:443/corelogic-private/tax_us-owf-one_workflow/git-upload-pack
  proxy | 2024/07/16 07:29:47 [004] * authenticating git server request (host: github.com)
  proxy | 2024/07/16 07:29:47 [004] 200 https://github.com:443/corelogic-private/tax_us-owf-one_workflow/git-upload-pack
  proxy | 2024/07/16 07:29:47 [006] POST https://github.com:443/corelogic-private/tax_us-owf-one_workflow/git-upload-pack
  proxy | 2024/07/16 07:29:47 [006] * authenticating git server request (host: github.com)
  proxy | 2024/07/16 07:29:48 [006] 200 https://github.com:443/corelogic-private/tax_us-owf-one_workflow/git-upload-pack
updater | 2024/07/16 07:29:51 ERROR <job_856399951> Error during file fetching; aborting: /${modulesToBuild}/pom.xml not found
updater | 2024/07/16 07:29:51 INFO <job_856399951> Finished job processing
updater | 2024/07/16 07:29:51 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------------+
updater | |          Errors           |
updater | +---------------------------+
updater | | dependency_file_not_found |
updater | +---------------------------+
updater | time="2024-07-16T07:29:51Z" level=info msg="task complete" container_id=job-856399951-file-fetcher exit_code=0 job_id=856399951 step=fetcher
updater | time="2024-07-16T07:29:51Z" level=warning msg="failed during fetch, skipping updater" job_id=856399951

Smallest manifest that reproduces the issue

repo

[yeikel]

Unfortunately I cannot reproduce this because i do not have access to that repository. Maybe the dependabot staff can

In the meantime, if you can create a public reproducer maybe I can take a look

[tociepka-clgx]

Hi @yeikel . I've managed to reproduce the issue on a public repository. I hope it helps!

[yeikel]

Hi @yeikel . I've managed to reproduce the issue on a public repository. I hope it helps!

Hi @tociepka-clgx

Thank you for trying to set a reproducer

Unfortunately, I see a 404 page when I try to navigate to that page. Could you please make it public and/or give me read access?

[tociepka-clgx]

@yeikel

Hi @yeikel . I've managed to reproduce the issue on a public repository. I hope it helps!

Hi @tociepka-clgx

Thank you for trying to set a reproducer

Unfortunately, I see a 404 page when I try to navigate to that page. Could you please make it public and/or give me read access?

I can't find a way to give everyone access to insights/dependabot page so I gave you collaborator rights. Also one can clone this repo to reproduce this issue.

[yeikel]

@yeikel

Hi @yeikel . I've managed to reproduce the issue on a public repository. I hope it helps!

Hi @tociepka-clgx

Thank you for trying to set a reproducer

Unfortunately, I see a 404 page when I try to navigate to that page. Could you please make it public and/or give me read access?

I can't find a way to give everyone access to insights/dependabot page so I gave you collaborator rights. Also one can clone this repo to reproduce this issue.

Oh, I see what my mistake was. Cons of using GitHub mobile :)

I can see the repo but not the dependabot alerts, but that's fine

I'll try to reproduce it and get back to you sometime today

[yeikel]

Apologies for the delay, based on the logs and looking closely at your pom file, it seems that the issue is this part of your pom

    <profile>
      <id>customBuild</id>
      <activation>
        <property>
          <name>profile</name>
          <value>customBuild</value>
        </property>
      </activation>
      <modules>
        <module>${modulesToBuild}</module>
      </modules>
    </profile>
  </profiles>

In particular, this part <module>${modulesToBuild}</module> is something that dependabot is failing to parse as that's not a real module

I am not aware of any workaround right now besides removing that from your pom. I'll look into a fix though

[yeikel]

https://github.com/tociepka-clgx/dependabot-issue/commit/f2e9e91f7298fa2d0bb926667b49971a9e0c4937 confirmed my suspicions

See: https://github.com/yeikel/dependabot-issue/pulls

[tociepka-clgx]

tociepka-clgx/dependabot-issue@f2e9e91 confirmed my suspicions

See: https://github.com/yeikel/dependabot-issue/pulls

Thanks for looking into the problem. However we need this profile for our jenkins pipelines. I guess the simplest way to fix this problem would be to treat this parsing error as warning? I don't understand why it is necessary to parse all the profiles anyway.