Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-27630

npm audit does not work with npm CLI versions 6.x and any proprietary npm package dependencies

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.30.0
    • Fix Version/s: None
    • Component/s: npm-audit
    • Notability:
      2

      Description

      npm audit used with npm CLI versions of 6.x may not work, even when configured as documented. This can happen if the evaluated project has any package dependencies which are not in the official registry.

      The client side will report errors such as:

      npm http fetch POST 500 http://localhost:8081/repository/npm-group/-/npm/v1/security/audits 10672ms
      npm verb stack Error: Your configured registry (http://localhost:8081/repository/npm-group/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
      npm verb stack The server said: 
      npm verb stack ==================================================================
      npm verb stack Error fetching npm audit data. 
      npm verb stack See nexus.log for more details or contact your Nexus Repository Manager administrator.
      npm verb stack ==================================================================
      

      NXRM will record stack traces such as:

      2021-05-17 16:04:33,336-0300 WARN  [qtp2140122311-269] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - An error occurred retrieving component remediation from Sonatype IQ Server.
      java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.VulnerabilityFetchingException: An error occurred retrieving component remediation from Sonatype IQ Server.
      	at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
      	at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1928)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getVulnerabilityResult(NpmAuditFacet.java:324)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:304)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:221)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:163)
      	at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
      	
      Caused by: org.sonatype.nexus.repository.vulnerability.exceptions.VulnerabilityFetchingException: An error occurred retrieving component remediation from Sonatype IQ Server.
      	at com.sonatype.nexus.clm.vulnerability.service.ComponentRemediationService.fillComponentRemediationVersions(ComponentRemediationService.java:146)
      	at com.sonatype.nexus.clm.vulnerability.service.ComponentRemediationService.getRemediationVersions(ComponentRemediationService.java:117)
      	at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.processRequest(ComponentVulnerabilityListener.java:121)
      	at com.sonatype.nexus.clm.vulnerability.ComponentVulnerabilityListener.on(ComponentVulnerabilityListener.java:94)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at com.google.common.eventbus.Subscriber.invokeSubscriberMethod(Subscriber.java:87)
      	at com.google.common.eventbus.Subscriber$SynchronizedSubscriber.invokeSubscriberMethod(Subscriber.java:144)
      	at com.google.common.eventbus.Subscriber$1.run(Subscriber.java:72)
      	at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
      	at com.google.common.eventbus.Subscriber.dispatchEvent(Subscriber.java:67)
      	at com.google.common.eventbus.Dispatcher$ImmediateDispatcher.dispatch(Dispatcher.java:186)
      	at com.google.common.eventbus.EventBus.post(EventBus.java:212)
      	at org.sonatype.nexus.internal.event.EventManagerImpl.post(EventManagerImpl.java:127)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:302)
      	... 109 common frames omitted
      

      and IQ Server will report a mix of 200 and 400 status codes for component remediations:

      10.100.10.30 - admin [17/May/2021:15:29:38 +0000] "POST /api/v2/components/remediation/application/616e52333ed1457797e9786380194cf6 HTTP/1.1" 400 42 633 "Nexus/3.30.0-01 (PRO; Linux; 5.4.0-72-generic; amd64; 1.8.0_282)"
      10.100.10.30 - admin [17/May/2021:15:29:39 +0000] "POST /api/v2/components/remediation/application/616e52333ed1457797e9786380194cf6 HTTP/1.1" 400 42 335 "Nexus/3.30.0-01 (PRO; Linux; 5.4.0-72-generic; amd64; 1.8.0_282)"
      
      10.100.10.30 - admin [17/May/2021:15:29:39 +0000] "POST /api/v2/components/remediation/application/616e52333ed1457797e9786380194cf6 HTTP/1.1" 200 37 1002 "Nexus/3.30.0-01 (PRO; Linux; 5.4.0-72-generic; amd64; 1.8.0_282)"
      10.100.10.30 - admin [17/May/2021:15:29:39 +0000] "POST /api/v2/components/remediation/application/616e52333ed1457797e9786380194cf6 HTTP/1.1" 200 37 1029 "Nexus/3.30.0-01 (PRO; Linux; 5.4.0-72-generic; amd64; 1.8.0_282)"
      10.100.10.30 - admin [17/May/2021:15:29:39 +0000] "POST /api/v2/components/remediation/application/616e52333ed1457797e9786380194cf6 HTTP/1.1" 200 37 1114 "Nexus/3.30.0-01 (PRO; Linux; 5.4.0-72-generic; amd64; 1.8.0_282)"
      10.100.10.30 - admin [17/May/2021:15:29:39 +0000] "POST /api/v2/components/remediation/application/616e52333ed1457797e9786380194cf6 HTTP/1.1" 400 42 522 "Nexus/3.30.0-01 (PRO; Linux; 5.4.0-72-generic; amd64; 1.8.0_282)"
      

      This seem to fail when the NPM package being audited has dependencies which are innersource ( not available as components that IQ data recognizes.

      Versions of NPM CLI which fail, seem to include:

      6.14.4
      6.14.12
      6.14.13

      Workaround

      Using NPM CLI version 7.13.0 worked ( and other 7.x versions ).

      Expected

      Either make 6.x CLI version work and document how, or clarify this version is no longer supported.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Beat Strasser Beat Strasser
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title