Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.29.2
-
3
-
3
Description
Audit requests to a npm proxy repo running 3.29.2 was noticed to cause 500 responses from NXRM and these messages in the nexus.log:
2021-03-24 19:02:24,606+0000 ERROR [qtp890273202-2550366] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - java.util.concurrent.ExecutionException: java.lang.IllegalStateException: Missing: org.sonatype.nexus.repository.view.matchers.token.TokenMatcher$State java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.IllegalStateException: Missing: org.sonatype.nexus.repository.view.matchers.token.TokenMatcher$State at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:115) at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:313) at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:254) at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:224) at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:163) at org.sonatype.nexus.repository.npm.internal.NpmAuditQuickHandler.handle(NpmAuditQuickHandler.java:41) at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88) at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67) at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88) at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39) at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88) at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:51) at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88) at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69) at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88) at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58) at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88) at org.sonatype.nexus.repository.view.Context.start(Context.java:179) at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:65) at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52) at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43) ... at java.lang.Thread.run(Thread.java:748) Caused by: java.util.concurrent.ExecutionException: java.lang.IllegalStateException: Missing: org.sonatype.nexus.repository.view.matchers.token.TokenMatcher$State at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:111) ... 109 common frames omitted Caused by: java.lang.IllegalStateException: Missing: org.sonatype.nexus.repository.view.matchers.token.TokenMatcher$State at com.google.common.base.Preconditions.checkState(Preconditions.java:508) at org.sonatype.nexus.common.collect.AttributesMap.require(AttributesMap.java:223) at org.sonatype.nexus.repository.npm.internal.orient.OrientNpmProxyFacet.matcherState(OrientNpmProxyFacet.java:481) at org.sonatype.nexus.repository.npm.internal.orient.OrientNpmProxyFacet.getCachedContent(OrientNpmProxyFacet.java:143) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.maybeGetCachedContent(ProxyFacetSupport.java:375) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:235) at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.getComponentHashsum(NpmAuditTarballFacet.java:167) at org.sonatype.nexus.repository.npm.internal.orient.OrientNpmAuditTarballFacet.getComponentHashsumForProxyRepo(OrientNpmAuditTarballFacet.java:61) at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:147) at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.lambda$2(NpmAuditTarballFacet.java:102) at org.sonatype.nexus.thread.internal.MDCAwareCallable.call(MDCAwareCallable.java:41) at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ... 1 common frames omitted
The exact reproduce is not known yet and we only have one report of this. this issue filed for tracking and investigation.
[Update]
Steps to reproduce
- take the package.json and package-lock.json attached to ticket 55036 and save to a folder
- from a terminal, go to that folder
- run npm audit (or if you want to match the customer's comment with additional debug then run npm audit --production --audit-level=critical -ddd)