Do not include invalid transitive repositories (#11357)

For build POMs, the repositories are validated and cannot contain uninterpolated expressions.
We need to ignore repositories containing such invalid URLs from dependencies.
Fixes #11356

Author: gnodet

impl/maven-impl/src/main/java/org/apache/maven/impl/model/DefaultModelBuilder.java

@@ -549,6 +549,10 @@ public void mergeRepositories(Model model, boolean replace) {
                     request,
                     this);
             List<RemoteRepository> repos = interpolatedModel.getRepositories().stream()
+                    // filter out transitive invalid repositories
+                    // this should be safe because invalid repo coming from build POMs
+                    // have been rejected earlier during validation
+                    .filter(repo -> repo.getUrl() != null && !repo.getUrl().contains("${"))
                     .map(session::createRemoteRepository)
                     .toList();
             if (replace) {

impl/maven-impl/src/test/java/org/apache/maven/impl/model/DefaultModelBuilderTest.java

@@ -114,14 +114,12 @@ public void testMergeRepositories() throws Exception {
 
         // after merge
         repositories = (List<RemoteRepository>) repositoriesField.get(state);
-        assertEquals(4, repositories.size());
+        assertEquals(3, repositories.size());
         assertEquals("first", repositories.get(0).getId());
         assertEquals("https://some.repo", repositories.get(0).getUrl()); // interpolated (user properties)
-        assertEquals("second", repositories.get(1).getId());
-        assertEquals("${secondParentRepo}", repositories.get(1).getUrl()); // un-interpolated (no source)
-        assertEquals("third", repositories.get(2).getId());
-        assertEquals("https://third.repo", repositories.get(2).getUrl()); // interpolated (own model properties)
-        assertEquals("central", repositories.get(3).getId()); // default
+        assertEquals("third", repositories.get(1).getId());
+        assertEquals("https://third.repo", repositories.get(1).getUrl()); // interpolated (own model properties)
+        assertEquals("central", repositories.get(2).getId()); // default
     }
 
     @Test

its/core-it-suite/src/test/java/org/apache/maven/it/MavenITgh11356InvalidTransitiveRepositoryTest.java

@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.maven.it;
+
+import java.io.File;
+import org.junit.jupiter.api.Test;
+
+/**
+ * This is a test set for <a href="https://github.com/apache/maven/issues/11356">GH-11356</a>.
+ * Verify that Maven properly builds projects with a dependency that defines invalid repositories.
+ *
+ * @since 4.0.0
+ */
+public class MavenITgh11356InvalidTransitiveRepositoryTest extends AbstractMavenIntegrationTestCase {
+
+    @Test
+    public void testInvalidTransitiveRepository() throws Exception {
+        File testDir = extractResources("/gh-11356-invalid-transitive-repository");
+
+        // First, verify that normal build works from the actual root
+        Verifier verifier = newVerifier(testDir.getAbsolutePath());
+        verifier.addCliArgument("compile");
+        verifier.execute();
+        verifier.verifyErrorFreeLog();
+    }
+}

its/core-it-suite/src/test/resources/gh-11356-invalid-transitive-repository/pom.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.1.0" root="true">
+
+    <groupId>org.apache.maven.reproducer</groupId>
+    <artifactId>reproducer-debezium</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <debezium-version>3.3.1.Final</debezium-version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.debezium</groupId>
+            <artifactId>debezium-connector-db2</artifactId>
+            <version>${debezium-version}</version>
+        </dependency>
+    </dependencies>
+</project>