Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25623

Provide a different status than Quarantined for components Pending Quarantine

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 3.30.0
    • 3.28.1
    • Firewall
    • n/a

    Description

      When Nexus is unable to obtain quarantine status for a component from IQ Server it defaults to returning 403 indicating that the component is quarantined. This may be a false positive for non vulnerable components and causes confusion for developers.

      Example, timeout connecting to IQ:
      2020-10-20 10:00:11,350-0500 WARN [qtp270297739-6990] *UNKNOWN com.sonatype.nexus.clm.internal.FirewallContributedHandler - Could not get latest quarantine status for asset npm-proxy:is-core-module/-/is-core-module-2.0.0.tgz: Read timed out
      2020-10-20 10:00:11,351-0500 INFO [qtp270297739-6990] *UNKNOWN com.sonatype.nexus.clm.internal.FirewallContributedHandler - Blocked serving of quarantined asset npm-proxy:is-core-module/-/is-core-module-2.0.0.tgz because quarantineStatus=PENDING

      This caused build failures (403 status code) with a message indicating that the package(s) have been quarantined. However, there were zero quarantined components in the IQ report for that repo.

      Attachments

        Activity

          People

            aornatovskyy Anatoliy Ornatovskyy [X] (Inactive)
            cseney Cassandra Seney
            John Feir
            Joe Tom Joe Tom
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              tigCommentSecurity.panel-title