[NEXUS-24914] npm audit may return different results in HA - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.26.0
Fix Version/s: None
Component/s: HA, NPM, npm-audit
Labels:
- triaged

Description

Due to the caching added to the npm audit implementation https://github.com/sonatype/nexus-internal/blob/59ef3f717a6e2cffc4dd6188ba8aedbfbeb8c2bb/plugins/nexus-repository-npm/src/main/java/org/sonatype/nexus/repository/npm/internal/NpmAuditFacet.java#L265

there may be situations were the cache is different on nodes in a HA environment.

Scenario:

User runs npm audit hitting node 1 and caches the results
Vulnerability on a component updated
User runs npm audit hitting node 2 and caches new results with a vulnerability
- user A doesnt address the vuln
Sometime later the user goes to address the vulnerability, runs npm audit again, hitting node 1 and no longer sees the vulnerability

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Mark Dodgson

Last Updated By:: Joe Tom

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/13/20 11:57 AM

Updated:: 12/01/20 10:34 PM

Date of First Response:: 01/Dec/20 3:48 PM

tigCommentSecurity.panel-title