Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25623

Provide a different status than Quarantined for components Pending Quarantine

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.28.1
    • Fix Version/s: 3.30.0
    • Component/s: Firewall
    • Labels:
    • Notability:
      n/a

      Description

      When Nexus is unable to obtain quarantine status for a component from IQ Server it defaults to returning 403 indicating that the component is quarantined. This may be a false positive for non vulnerable components and causes confusion for developers.

      Example, timeout connecting to IQ:
      2020-10-20 10:00:11,350-0500 WARN [qtp270297739-6990] *UNKNOWN com.sonatype.nexus.clm.internal.FirewallContributedHandler - Could not get latest quarantine status for asset npm-proxy:is-core-module/-/is-core-module-2.0.0.tgz: Read timed out
      2020-10-20 10:00:11,351-0500 INFO [qtp270297739-6990] *UNKNOWN com.sonatype.nexus.clm.internal.FirewallContributedHandler - Blocked serving of quarantined asset npm-proxy:is-core-module/-/is-core-module-2.0.0.tgz because quarantineStatus=PENDING

      This caused build failures (403 status code) with a message indicating that the package(s) have been quarantined. However, there were zero quarantined components in the IQ report for that repo.

        Attachments

          Activity

            People

            Assignee:
            aornatovskyy Anatoliy Ornatovskyy
            Reporter:
            cseney Cassandra Seney
            CC:
            John Feir
            Last Updated By:
            Joe Tom Joe Tom
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title