1. Create a proxy repository to Maven Central: https://repo1.maven.org/maven2/
2. Make an inbound request to a directory path using a HEAD request.
3. Observe that Repo 3 ONLY sends an outbound GET request.
4. Observe that Repo 3 stores an asset with empty asset name that is the HTML of the remote site at the URL https://repo1.maven.org/maven2/
The same issue can be replicated when requesting child paths:
Upstream Nexus Repository instances will send HEAD requests to a remote site to check if the repo is on-line ( status check). If such a HEAD request arrives, this triggers the bug - example inbound user agent making this request:
Another side effect of this behaviour is that it stores an asset with a name that is EMPTY "" inside the asset table. IQ Server Repository Audit feature is not expecting to receive an asset with a completely empty pathname (CLM-20848) and this breaks the bulk auditing feature of IQ Server.
- inbound requests for directory paths ( canonical URL ending with slash ) for Maven proxy repos should not cache as an asset the GET response payload from the remote site.
- do not allow to store any Maven asset using an empty name - there is no known valid reason for this
- an inbound HEAD request to a Maven repo only should send an equivalent outbound HEAD request to the remote, and not send a GET request.