Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25936

npm audit fails with 500 response using group and anonymous

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.28.1, 3.29.0
    • Fix Version/s: 3.29.1
    • Component/s: npm-audit
    • Labels:
    • Notability:
      3

      Description

      Anonymous user has read/browse access to npm group, but npm audit fails with the following 500 response:

      http fetch POST 500 http://localhost:8081/repository/npmjs/-/npm/v1/security/audits 99ms
      
      npm verb stack Error: Your configured registry (http://localhost:8081/repository/npmjs/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
      

      Nexus log shows the following, which does not clearly explain the issue.

      2020-11-23 14:27:50,782+0000 ERROR [qtp1542927475-278] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException
      java.lang.RuntimeException: java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:127)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:292)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:235)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:210)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:152)
      	at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
      ...
      Caused by: java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException
      	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
      	at java.util.concurrent.FutureTask.get(FutureTask.java:192)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:123)
      	... 108 common frames omitted
      Caused by: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException: null
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet$TarballGroupHandler.getTarballHashsum(NpmAuditTarballFacet.java:230)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:152)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.lambda$1(NpmAuditTarballFacet.java:114)
      

       

      For the npm-audit to work, it has to have read access to the to all group members (including hosted repos). So it seems group repo permissions not working for npm audit.

       

      Steps to reproduce:

      1) Create a npm hosted and proxy (to npmjs) repos (the proxy should not have any cached items, only able to reproduce if artifact is not cached).

      2) Create a npm group repo with the hosted and proxy npm repo as members

      3) Make sure anonymous user only has read and browse access to bnpm group repo and no access to the npm hosted and proxy repo.

      4) Ensure no credentials for group repo  are stored in the ~/.npmrc file. We want to use anonymous.

      5) Run npm audit against the group repo with valid package.json and package-lock.json files.

       

      Expected Behaviour:

      Only read access should be required for at group repository, if npm audit is run pointing to the group.

      Workaround:

      Give read access to all members of the npm group repo - so give read access to the member npm hosted and proxy repo, then the npm audit will work for that npm group repo.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mpiggott Matthew Piggott
              Reporter:
              msurani Mahendra Surani
              Last Updated By:
              Joe Tom Joe Tom
              Team:
              NXRM - Groot
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title