Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24917

npm audit should do case insensitive compare

    Details

      Description

      Configure npm to use a Nexus Repo proxy repository with remote of https://registry.npmjs.org.

      npm config set registry http://localhost:8081/repository/npm-proxy
      

      Create a package.json file with this for the contents:

      {
        "name": "testproject",
        "version": "0.0.1",
        "description": "Test Project",
        "main": "index.js",
        "dependencies": {
          "JSONStream": "1.3.5"
        },
        "author": "JohnDoe",
        "license": "ISC"
      }
      

      Run:

      npm install -d
      npm audit
      

      This will fail with a warning and a stack trace:

      2020-08-13 10:13:45,530-0500 WARN [qtp2043467374-54] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - Can't get hashsum for the appId [null] type [npm] name [jsonstream] version [1.3.5] package
      org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException: Can't get hashsum for the appId [null] type [npm] name [jsonstream] version [1.3.5] package
      at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:131)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:238)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:211)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:186)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:140)
      at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at com.sonatype.analytics.internal.handler.AnalyticsNpmAuditHandler.handle(AnalyticsNpmAuditHandler.java:55)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.view.Context.start(Context.java:114)
      at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:65)
      at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52)
      at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43)
      at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.dispatchAndSend(ViewServlet.java:213)
      at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.doService(ViewServlet.java:175)
      at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.service(ViewServ

      But the package does exist on the remote:

      https://registry.npmjs.org/JSONStream/-/JSONStream-1.3.5.tgz

      Note that the log message indicates it is looking for "jsonstream", not "JSONStream'. So it seems that npm audit does not work for npm packages that have mixed case names.

      Expected:

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mdodgson Mark Dodgson
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Michael Prescott Michael Prescott
              Team:
              NXRM - Trinity
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title