Authentication maven privat repo

[dperepust]

Hello. dependabot can read from private mvn repo (we use artifactory).
We try configure by DEPENDABOT_EXTRA_CREDENTIALS parameter like [{"type":"mvn","username":"xxxx","password":"xxxxxx","registry":"xxxxxxx"}] and [{"type":"mvn","token":"xxxxx","registry":"xxxx"}]

But without results

Error in console

dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker/version_finder.rb:62:in versions': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): https://xxxx.xxx.xxxx/artifactory/xxxxxxx-release (Dependabot::PrivateSourceAuthenticationFailure) from /home/gitlab-runner/builds/xxxxxx/0/xxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker/version_finder.rb:27:inlatest_version_details' from /home/gitlab-runner/builds/xxxxxx/0/xxxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker.rb:105:in latest_version_details' from /home/gitlab-runner/builds/xxxxx/0/xxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker.rb:15:inlatest_version' from /home/gitlab-runner/builds/xxxxxx/0/xxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-common-0.108.25/lib/dependabot/update_checkers/base.rb:198:in numeric_version_up_to_date?' from /home/gitlab-runner/builds/xxxx/0/x/dependxxxxencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker.rb:89:innumeric_version_up_to_date?' from /home/gitlab-runner/builds/xxxxx/0/x/dependxxxencies-bot/vendor/ruby/2.6.0/gems/dependabot-common-0.108.25/lib/dependabot/update_checkers/base.rb:155:in version_up_to_date?' from /home/gitlab-runner/builds/xxxx/0/xxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-common-0.108.25/lib/dependabot/update_checkers/base.rb:27:inup_to_date?' from ./update.rb:102:in block in <main>' from ./update.rb:91:ineach' from ./update.rb:91:in `

' Fetching maven dependency files for xxxxt/xxxxx

Token and login/password worked (testing by curl) Can we use kira for resolve dependency with private maven repo (artifactory)?

[sobolevn]

Can you try to set type to maven_repository? https://github.com/dependabot/dependabot-core/blob/master/maven/lib/dependabot/maven/update_checker/version_finder.rb#L214

[dperepust]

After changed to maven_repository catch error dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker/version_finder.rb:217:in `fetch': key not found: "url"

then

added in JSON "url":"https://xxxxxxx.xx/api" and "url":"https://xxxxx.xxxx" - but steel catch error

/home/gitlab-runner/builds/xxxxx/0/xxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker/version_finder.rb:62:in `versions': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): https://xxxxxxx.xxx/artifactory/hyperjet-release (Dependabot::PrivateSourceAuthenticationFailure)

after search in souce code I found in

https://github.com/dependabot/dependabot-core/blob/master/maven/lib/dependabot/maven/metadata_finder.rb

    token = cred.fetch("username") + ":" + cred.fetch("password")
    encoded_token = Base64.encode64(token).delete("\n")
    { "Authorization" => "Basic #{encoded_token}" }

as i understand for access to maven repo, dependabot try use request header
"Authorization" => "Basic #{encoded_token}"

But in artifactory docs https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API for use token should be
curl -H "Authorization: Bearer " -X PUT - without user and curl -u myUser: -X PUT - without Authorization
Sorry, maybe I wrong

[dperepust]

Maybe U have example how can access to private maven repo (artifactory) Thanks