[NEXUS-24918] npm audit should not fail if package.json contains a dependency that can't be found - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.26.1, 3.27.0
Fix Version/s: 3.28.0
Component/s: npm-audit
Labels:

Description

If you run "npm audit" against a package.json that contains a dependency that can't be found in the target repository it will cause the command to fail completely, no data is returned. The logs will contain a warning which is difficult to understand, and a stack trace that is not needed.

Expected: If a dependency can't be found during npm audit we should note that in the npm audit results, we should not fail the entire audit. A single log line is all that is needed at WARN, the stack should be logged at debug level.

2020-08-13 10:13:45,530-0500 WARN [qtp2043467374-54] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - Can't get hashsum for the appId [null] type [npm] name [somepackage] version [1.3.5] package
org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException: Can't get hashsum for the appId [null] type [npm] name [somepackage] version [1.3.5] package
at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:131)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:238)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:211)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:186)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:140)
at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at com.sonatype.analytics.internal.handler.AnalyticsNpmAuditHandler.handle(AnalyticsNpmAuditHandler.java:55)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.view.Context.start(Context.java:114)
at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:65)
at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52)
at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43)
at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.dispatchAndSend(ViewServlet.java:213)
at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.doService(ViewServlet.java:175)
at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.service(ViewServ

Attachments

Issue Links

is related to

NEXUS-24830 npm audit error with quarantined components

Closed

mentioned in: Page Loading...

Activity

People

Assignee:: Mark Dodgson

Reporter:: Rich Seddon

Last Updated By:: Michael Prescott

Team:: NXRM - Trinity

Votes:: 4 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 08/13/20 03:25 PM

Updated:: 04/23/21 06:25 PM

Resolved:: 08/28/20 07:14 AM

Date of First Response:: 13/Aug/20 3:42 PM