Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.28.1
-
n/a
Description
When Nexus is unable to obtain quarantine status for a component from IQ Server it defaults to returning 403 indicating that the component is quarantined. This may be a false positive for non vulnerable components and causes confusion for developers.
Example, timeout connecting to IQ:
2020-10-20 10:00:11,350-0500 WARN [qtp270297739-6990] *UNKNOWN com.sonatype.nexus.clm.internal.FirewallContributedHandler - Could not get latest quarantine status for asset npm-proxy:is-core-module/-/is-core-module-2.0.0.tgz: Read timed out
2020-10-20 10:00:11,351-0500 INFO [qtp270297739-6990] *UNKNOWN com.sonatype.nexus.clm.internal.FirewallContributedHandler - Blocked serving of quarantined asset npm-proxy:is-core-module/-/is-core-module-2.0.0.tgz because quarantineStatus=PENDING
This caused build failures (403 status code) with a message indicating that the package(s) have been quarantined. However, there were zero quarantined components in the IQ report for that repo.