Don't hardcode maven central as the artifact repository to use

src/main/java/org/openrewrite/java/dependencies/DependencyVulnerabilityCheck.java

@@ -106,8 +106,26 @@ public static class Accumulator {
         final org.openrewrite.java.dependencies.UpgradeDependencyVersion.Accumulator dependencyAcc;
         final AddManagedDependency.Scanned transitiveAcc;
 
+
         Map<String, Vulnerabilities> projectToVulnerabilities = new LinkedHashMap<>();
 
+        public void repositoriesFrom(SourceFile s) {
+            s.getMarkers().findFirst(MavenResolutionResult.class)
+                    .ifPresent(mrr -> repositories.addAll(mrr.getPom().getRepositories()));
+            s.getMarkers().findFirst(GradleProject.class)
+                    .ifPresent(gradleProject -> repositories.addAll(gradleProject.getMavenRepositories()));
+        }
+
+        private Set<MavenRepository> repositories = new LinkedHashSet<>();
+        @Nullable
+        private List<MavenRepository> allRepositories = null;
+        public List<MavenRepository> getRepositories() {
+            if (allRepositories == null) {
+                allRepositories = new ArrayList<>(repositories);
+            }
+            return allRepositories;
+        }
+
         @Nullable
         private Map<ResolvedGroupArtifactVersion, Set<MinimumDepthVulnerability>> upgradeableVulnerabilities = null;
 
@@ -181,9 +199,10 @@ public TreeVisitor<?, ExecutionContext> getScanner(Accumulator acc) {
         return new TreeVisitor<Tree, ExecutionContext>() {
             @Override
             public @Nullable Tree visit(@Nullable Tree tree, ExecutionContext ctx) {
-                if (tree == null) {
-                    return null;
+                if (!(tree instanceof SourceFile)) {
+                    return tree;
                 }
+                acc.repositoriesFrom((SourceFile) tree);
                 scanMaven(acc.getDb(), acc.getProjectToVulnerabilities(), acc.getScope()).visitNonNull(tree, ctx);
                 scanGradleGroovy(acc.getDb(), acc.getProjectToVulnerabilities(), acc.getScope()).visitNonNull(tree, ctx);
                 new org.openrewrite.java.dependencies.UpgradeDependencyVersion("", "", "", null, null, null)
@@ -239,7 +258,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor(Accumulator acc) {
                 for (Map.Entry<ResolvedGroupArtifactVersion, Set<MinimumDepthVulnerability>> gavToUpgradeableVulnerabilities : upgradeableVulnerabilities.entrySet()) {
                     ResolvedGroupArtifactVersion gav = gavToUpgradeableVulnerabilities.getKey();
                     Set<MinimumDepthVulnerability> vulnerabilities = gavToUpgradeableVulnerabilities.getValue();
-                    String versionToRequest = versionToRequest(vulnerabilities, Collections.singletonList(MavenRepository.MAVEN_CENTRAL), ctx);
+                    String versionToRequest = versionToRequest(vulnerabilities, acc.getRepositories(), ctx);
                     Tree t2 = new UpgradeDependencyVersion(gav.getGroupId(), gav.getArtifactId(), versionToRequest, null, overrideTransitive, null)
                             .getVisitor(acc.getDependencyAcc())
                             .visitNonNull(t, ctx);

src/test/java/org/openrewrite/java/dependencies/DependencyVulnerabilityCheckTest.java

@@ -173,7 +173,7 @@ void mavenTransitive() {
                     <dependency>
                       <groupId>com.fasterxml.jackson.core</groupId>
                       <artifactId>jackson-databind</artifactId>
-                      <version>2.12.7.1</version>
+                      <version>2.12.7.2</version>
                     </dependency>
                   </dependencies>
                 </dependencyManagement>
@@ -234,7 +234,7 @@ void maven() {
                   <dependency>
                     <groupId>org.apache.logging.log4j</groupId>
                     <artifactId>log4j</artifactId>
-                    <version>2.13.2</version>
+                    <version>2.13.3</version>
                   </dependency>
                 </dependencies>
               </project>
@@ -325,7 +325,7 @@ void mavenJacksonMajorMinorPatch() {
                   <dependency>
                     <groupId>com.fasterxml.jackson.core</groupId>
                     <artifactId>jackson-databind</artifactId>
-                    <version>2.13.4.2</version>
+                    <version>2.13.5</version>
                   </dependency>
                 </dependencies>
               </project>