Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-26573

npm audit should be case sensitive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 3.29.2
    • Fix Version/s: None
    • Component/s: npm-audit
    • Labels:
    • Notability:
      3

      Description

      Perform an npm audit against Base64@0.2.1. Note that is an upper case "B".

      This will fail with a 500 response. The Nexus Repo log shows:

      2021-02-02 10:44:18,400-0500 WARN [qtp1973415025-81300] e3uems org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - An error occurred retrieving component remediation from Sonatype IQ Server.

      java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.VulnerabilityFetchingException: An error occurred retrieving component remediation from Sonatype IQ Server.

      at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)

      at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1915)

      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getVulnerabilityResult(NpmAuditFacet.java:324)

      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:304)

      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:221)

      at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:163)

      at org.sonatype.nexus.repository.npm.internal.NpmAuditHandler.handle(NpmAuditHandler.java:41)

      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)

      at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)

      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)

      at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)

      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)

      at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:51)

      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)

      ...

      Caused by: org.sonatype.nexus.repository.vulnerability.exceptions.VulnerabilityFetchingException: An error occurred retrieving component remediation from Sonatype IQ Server.
      at com.sonatype.nexus.clm.vulnerability.service.ComponentRemediationService.fillComponentRemediationVersions(ComponentRemediationService.java:146)
      at com.sonatype.nexus.clm.vulnerability.service.ComponentRemediationService.getRemediationVersions(ComponentRemediationService.java:117)
      at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.processRequest(ComponentVulnerabilityListener.java:121)
      at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.on(ComponentVulnerabilityListener.java:94)

      On the IQ Server side, we see:

      2021-02-02 10:44:18,144-0500 DEBUG [dw-89208 - POST /api/v2/components/remediation/application/073c5307f15546bcb1949d6f102c28b1] admin2 com.sonatype.insight.brain.hds.DefaultHdsClient - Starting request: GET https://clm.sonatype.com/rest/component/summary?componentIdentifier=%7B%22format%22%3A%22npm%22%2C%22coordinates%22%3A%7B%22packageId%22%3A%22base64%22%2C%22version%22%3A%220.2.1%22%7D%7D
      2021-02-02 10:44:18,173-0500 DEBUG [dw-89208 - POST /api/v2/components/remediation/application/073c5307f15546bcb1949d6f102c28b1] admin2 com.sonatype.insight.brain.hds.DefaultHdsClient - Completed request in 29 ms. 200
      2021-02-02 10:44:18,173-0500 DEBUG [dw-89208 - POST /api/v2/components/remediation/application/073c5307f15546bcb1949d6f102c28b1] admin2 com.sonatype.insight.jaxrs.error.ErrorResponseGenerator - Invalid Component Identifier or packageUrl

      The component coordinates are sent as:

      {"format":"npm","coordinates":{"packageId":"base64","version":"0.2.1"}}
      

      Note the lower case "b".

      Both the lower and upper case artifacts exist:

      http://registry.npmjs.org/base64
      http://registry.npmjs.org/Base64

      But only the upper case one has version "0.2.1".

      Expected: Case should be preserved in npm audit requests.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mallen Mick Allen
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Rich Seddon Rich Seddon
              Team:
              NXRM - Groot
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title