bug(java): pom parser reuses remote repositories across sibling dependencies

[DmitriyLewen]

Summary

When scanning Maven projects, Trivy’s Java POM parser persists remote repositories discovered while parsing one dependency and then reuses them for other, sibling dependencies. As a result, the repository from the first parsed dependency can be incorrectly applied to subsequent dependencies that declare different repositories.

This appears to come from saving repositories globally in the parser, rather than scoping them to the dependency being resolved. See code around these lines: https://github.com/aquasecurity/trivy/blob/eff52eb2e60a700d831cbc3d260217162b38e45c/pkg/dependency/parser/java/pom/parse.go#L377-L379

Reproduction

Consider a multi-module project or a root POM A with two direct dependencies B and C, each hosted on different remote repositories:

A -> B  (available only in remote repo1)
A -> C  (available only in remote repo2)

What happens

1. Trivy parses dependency B first and records repo1.
2. When Trivy proceeds to dependency C, it still uses repo1 (saved from B) to resolve C.
3. This leads to incorrect repository selection for C (and potentially resolution failures or wrong results).

New test case - https://github.com/DmitriyLewen/trivy/blob/84a0ffb4a41cac870481409d5f3dc2fa3022adc4/pkg/dependency/parser/java/pom/parse_private_test.go