Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-27629

logging is too verbose when the submitted application id from npm audit is not found in the connected IQ server

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.30.1
    • Fix Version/s: None
    • Component/s: Logging, npm-audit
    • Labels:
    • Notability:
      n/a

      Description

      Perform an npm audit command against NXRM using an application id that is not present in the connected IQ Server. NXRM will log 2 stack traces, one at WARN level and one at ERROR level.

      2021-05-12 09:47:25,722+0000 ERROR [qtp971333822-2039]  bstrasser com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener - Can't find application id
      java.lang.IllegalStateException: Can't find application id
       at com.sonatype.nexus.clm.vulnerability.api.ApplicationsApi.lambda$1(ApplicationsApi.java:53)
       at java.util.Optional.orElseThrow(Optional.java:290)
       at com.sonatype.nexus.clm.vulnerability.api.ApplicationsApi.getAppId(ApplicationsApi.java:53)
       at com.sonatype.nexus.clm.vulnerability.service.ClmService.getAppId(ClmService.java:173)
       at com.sonatype.nexus.clm.vulnerability.service.ComponentEvaluationService.getComponentEvaluationReport(ComponentEvaluationService.java:107)
       at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.processRequest(ComponentVulnerabilityListener.java:117)
       at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.on(ComponentVulnerabilityListener.java:94)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at com.google.common.eventbus.Subscriber.invokeSubscriberMethod(Subscriber.java:87)
       at com.google.common.eventbus.Subscriber$SynchronizedSubscriber.invokeSubscriberMethod(Subscriber.java:144)
       at com.google.common.eventbus.Subscriber$1.run(Subscriber.java:72)
       at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
       at com.google.common.eventbus.Subscriber.dispatchEvent(Subscriber.java:67)
       at com.google.common.eventbus.Dispatcher$ImmediateDispatcher.dispatch(Dispatcher.java:186)
       at com.google.common.eventbus.EventBus.post(EventBus.java:212)
       at org.sonatype.nexus.internal.event.EventManagerImpl.post(EventManagerImpl.java:127)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:302)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:221)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:163)
       at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
      
      
      2021-05-12 09:47:25,725+0000 WARN  [qtp971333822-2039]  bstrasser org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - Internal error.
      java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.InternalException: Internal error.
       at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
       at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1928)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getVulnerabilityResult(NpmAuditFacet.java:324)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:304)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:221)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:163)
       at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:51)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58)
       at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
       at com.sonatype.analytics.internal.handler.AnalyticsNpmAuditHandler.handle(AnalyticsNpmAuditHandler.java:55)
      ...
      Caused by: org.sonatype.nexus.repository.vulnerability.exceptions.InternalException: Internal error.
       at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.on(ComponentVulnerabilityListener.java:102)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at com.google.common.eventbus.Subscriber.invokeSubscriberMethod(Subscriber.java:87)
       at com.google.common.eventbus.Subscriber$SynchronizedSubscriber.invokeSubscriberMethod(Subscriber.java:144)
       at com.google.common.eventbus.Subscriber$1.run(Subscriber.java:72)
       at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
       at com.google.common.eventbus.Subscriber.dispatchEvent(Subscriber.java:67)
       at com.google.common.eventbus.Dispatcher$ImmediateDispatcher.dispatch(Dispatcher.java:186)
       at com.google.common.eventbus.EventBus.post(EventBus.java:212)
       at org.sonatype.nexus.internal.event.EventManagerImpl.post(EventManagerImpl.java:127)
       at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:302)
       ... 109 common frames omitted
      
      

      Problem

      The stack traces are noise and unnecessarily alarming to server administrators. Further while they are trying to be verbose to help pinpoint the root of the problem, the problem is well understood here so Caused by: org.sonatype.nexus.repository.vulnerability.exceptions.InternalException: Internal error is useless to diagnose the actual issue.

      Expected

      When a submitted application id cannot be found in the connected and working IQ server ( application list was successfully retrieved )

      • do not log stack traces by default
      • do not log two WARN level or above log messages for the same error
      • log only one log statement at INFO level that the provided application id from an audit request could not be found in IQ server and include what the originating source of the id was ( header/ POST JSON payload )
      • if DEBUG is enabled, include stack trace from the originating exception in the log message, while still logging at INFO level

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Rich Seddon Rich Seddon
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title