Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24917

npm audit fails for packages that are not all lowercase

    XMLWordPrintable

    Details

      Description

      Configure npm to use a Nexus Repo proxy repository with remote of https://registry.npmjs.org.

      npm config set registry http://localhost:8081/repository/npm-proxy
      

      Create a package.json file with this for the contents:

      {
        "name": "testproject",
        "version": "0.0.1",
        "description": "Test Project",
        "main": "index.js",
        "dependencies": {
          "JSONStream": "1.3.5"
        },
        "author": "JohnDoe",
        "license": "ISC"
      }
      

      Run:

      npm install -d
      npm audit
      

      This will fail with a warning and a stack trace:

      2020-08-13 10:13:45,530-0500 WARN [qtp2043467374-54] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - Can't get hashsum for the appId [null] type [npm] name [jsonstream] version [1.3.5] package
      org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException: Can't get hashsum for the appId [null] type [npm] name [jsonstream] version [1.3.5] package
      at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:131)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:238)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:211)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:186)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:140)
      at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at com.sonatype.analytics.internal.handler.AnalyticsNpmAuditHandler.handle(AnalyticsNpmAuditHandler.java:55)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.view.Context.start(Context.java:114)
      at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:65)
      at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52)
      at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43)
      at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.dispatchAndSend(ViewServlet.java:213)
      at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.doService(ViewServlet.java:175)
      at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.service(ViewServ

      But the package does exist on the remote:

      https://registry.npmjs.org/JSONStream/-/JSONStream-1.3.5.tgz

      Note that the log message indicates it is looking for "jsonstream", not "JSONStream'. So it seems that npm audit does not work for npm packages that have mixed case names.

      Expected:

        Attachments

          Activity

            People

            Assignee:
            mdodgson Mark Dodgson
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Joseph Stephens
            Team:
            NXRM - Trinity
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title

                  PagerDuty