Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31188

Nexus Firewall quarantined component returns 404 status through group repository instead of 403

    Details

    • Story Points:
      3
    • Sprint:
      NXRM Immortals Sprint 39, NXRM Immortals Sprint 40
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      Configure a nuget.org v3 proxy repository in Nexus Repo 3.37.3 running new DB (h2 or postgres). Enable audit and quarantine on it. Configure firewall policies to fail for security-critical, security-high, and security-medium. Add this proxy repository to a nuget group repository.

      Request this package through it:

      /repository/nuget-groupl/v3/content/log4net/2.0.3/log4net.2.0.3.nupkg

      This will fail with a 404.

      The logs show:

      2022-02-10 08:46:06,188-0600 INFO [qtp1852501519-676] admin com.sonatype.nexus.clm.internal.datastore.FirewallContributedHandler - Blocked serving of quarantined asset nuget.org-proxy:/log4net/2.0.3 because quarantineStatus=DENY

      {quotew}

      Expected: This is a regression, the group should return a 403 not a 404.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              iudovika Igor Udovika
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Igor Udovika Igor Udovika
              Team:
              NXRM - Optimus
              Owner:
              Igor Udovika Igor Udovika
              Votes:
              4 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title