Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-26340

importing non-conforming Maven artifacts may trigger NullPointerException in VersionPolicyValidator.validArtifactPath even if Layout Policy is Permissive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.29.2, 3.30.0
    • Fix Version/s: None
    • Component/s: import-export
    • Notability:
      3

      Description

      Was importing from an old maven repository on disk which had some files not entirely conforming to Maven layout ( into a 3.29.2 instance ). Noticed some NullPointerExceptions

      oddly named maven-metadata
      2021-01-09 08:01:14,559-0400 ERROR [quartz-9-thread-2]  *SYSTEM com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService - Import of file /import-data/central-releases/org/apache/cxf/cxf-xml2fastinfoset-plugin/maven-metadata.xml.2 into repository central-hosted failed
      java.lang.NullPointerException: null
      	at org.sonatype.nexus.repository.maven.internal.VersionPolicyValidator.validArtifactPath(VersionPolicyValidator.java:33)
      	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.validateVersionPolicy(MavenUploadHandlerSupport.java:253)
      	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.handle(MavenUploadHandlerSupport.java:178)
      	at org.sonatype.nexus.repository.upload.internal.UploadManagerImpl.handle(UploadManagerImpl.java:136)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$1(OrientRepositoryImportService.java:166)
      	at org.sonatype.nexus.transaction.OperationPoint.lambda$0(OperationPoint.java:53)
      	at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
      	at org.sonatype.nexus.transaction.TransactionalWrapper.proceedWithTransaction(TransactionalWrapper.java:57)
      	at org.sonatype.nexus.transaction.Operations.proceedWithTransaction(Operations.java:232)
      	at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:223)
      	at org.sonatype.nexus.transaction.Operations.run(Operations.java:175)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$0(OrientRepositoryImportService.java:162)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:83)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:1)
      	at java.nio.file.Files.walkFileTree(Files.java:2670)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource.walk(RepositoryImportSource.java:45)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.walkImportDirectory(OrientRepositoryImportService.java:140)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.doImport(OrientRepositoryImportService.java:125)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportTask.execute(RepositoryImportTask.java:64)
      	at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:79)
      	at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:100)
      	at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:143)
      	at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:106)
      	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
      	at org.sonatype.nexus.quartz.internal.QuartzThreadPool.lambda$0(QuartzThreadPool.java:145)
      	at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40)
      	at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120)
      	at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108)
      
      

      Another Example:

      difference in artifactId compared with path
      2021-01-09 08:21:06,731-0400 ERROR [quartz-9-thread-2]  *SYSTEM com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService - Import of file /import-data/central-releases/com/rabbitmq/rabbitmq-java-client/1.3.0/rabbitmq-client-javadoc-1.3.0.jar into repository central-hosted failed
      java.lang.NullPointerException: null
      	at org.sonatype.nexus.repository.maven.internal.VersionPolicyValidator.validArtifactPath(VersionPolicyValidator.java:33)
      	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.validateVersionPolicy(MavenUploadHandlerSupport.java:253)
      	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.handle(MavenUploadHandlerSupport.java:178)
      	at org.sonatype.nexus.repository.upload.internal.UploadManagerImpl.handle(UploadManagerImpl.java:136)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$1(OrientRepositoryImportService.java:166)
      	at org.sonatype.nexus.transaction.OperationPoint.lambda$0(OperationPoint.java:53)
      	at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
      	at org.sonatype.nexus.transaction.TransactionalWrapper.proceedWithTransaction(TransactionalWrapper.java:57)
      	at org.sonatype.nexus.transaction.Operations.proceedWithTransaction(Operations.java:232)
      	at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:223)
      	at org.sonatype.nexus.transaction.Operations.run(Operations.java:175)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$0(OrientRepositoryImportService.java:162)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:83)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:1)
      	at java.nio.file.Files.walkFileTree(Files.java:2670)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource.walk(RepositoryImportSource.java:45)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.walkImportDirectory(OrientRepositoryImportService.java:140)
      	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.doImport(OrientRepositoryImportService.java:125)
      	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportTask.execute(RepositoryImportTask.java:64)
      	at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:79)
      

      Another variation:

      Difference in letter case
      2021-01-08 18:37:00,337-0400 ERROR [quartz-9-thread-2]  *SYSTEM com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService - Import of file /import-data/central-releases/org/codehaus/httpcache4j/clients/clients-httpClient/1.0-RC2/clients-httpclient-1.0-RC2.pom into repository central-hosted failed
      java.lang.NullPointerException: null
      

      The cause is MavenPath.getCoordinates() is returning null, and null is passed into VersionPolicyValidator.validArtifactPath where coordinates are accessed.

      Expected

      1. If layout policy is strict, avoid the NPE and instead log without stack trace that the path value is not conforming and therefore was ignored by import.
      2. If Layout Policy is permissive, then consider if the path should be allowed to be imported - ie. Does direct HTTP PUT of the path work when layout is permissive? Is there some special rule that is different for import? If so, document it, or provide a different setting for import to allow non-conforming paths.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Rich Seddon Rich Seddon
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title