search

sonatype-nexus-community / nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Apache License 2.0
562 stars 74 forks source link

Is returning 500 error when accessing OSS Index #263

Closed JasonQuinn closed 1 year ago

JasonQuinn commented 2 years ago

Running nancy has started returning a 500 error "Error: An error occurred: [500 Internal Server Error] error accessing OSS Index" when running https://ossindex.sonatype.org/updates-notice says there were index updates yesterday and today is the 1st day I've seen it so it might be related

cc @bhamail / @DarthHater

bhamail commented 2 years ago

@JasonQuinn Thanks for the report! I'm asking around on my end to see what's happening.

sethlivingston commented 2 years ago

Looks like this could be related to some changes made yesterday, May 23:

Some ecosystems will no longer be supported.As part of this change we will be dropping support for Drupal, Debian, Chocolatey, Alpine, Bower and Go Dep. Note: Go Mod will continue to be supported and we encourage all OSS Index users to upgrade to newer Go Mod modules.

Source: https://ossindex.sonatype.org/updates-notice

ken-duck commented 2 years ago

It is almost certainly related. We have reportedly reproduced the problem and are looking into it internally. Sorry for the interruption; we will get this fixed ASAP.

ken-duck commented 2 years ago

A fix has been deployed. You should see Nancy working correctly now.

harshavardhana commented 2 years ago

Looks like now it's broken in different ways, with expired cert. 

Error: Post "https://ossindex.sonatype.org/api/v3/component-report": x509: certificate has expired or is not yet valid: current time 2022-05-26T01:34:29Z is after 2022-05-25T23:59:59Z
ken-duck commented 2 years ago

Sorry for the problem. It should be resolved now.

Thanks for the heads up!

gedge commented 1 year ago

this has happened again - I'm getting 500s

Error: An error occurred: [500 Internal Server Error] error accessing OSS Index
akiffeyzioglu commented 1 year ago

I use 1.0.41 version and pipeline get this error. Error: An error occurred: [500 Internal Server Error] error accessing OSS Index

redhug1 commented 1 year ago

I use 1.0.41 version I'm getting 500s Error: An error occurred: [500 Internal Server Error] error accessing OSS Index

logfile shows: {"level":"error","msg":"Error accessing OSS Index","resp_status_code":"500 Internal Server Error","time":"2022-10-18T08:04:08+01:00"} {"error":"An error occurred: [500 Internal Server Error] error accessing OSS Index","level":"error","msg":"unexpected error in root cmd","time":"2022-10-18T08:04:08+01:00"}

I run with: go list -m all | nancy sleuth

sandypadmanabhan commented 1 year ago

I am getting a 500- Internal Server Error Error: An error occurred: [500 Internal Server Error] error accessing OSS Index

ping-localhost commented 1 year ago

v1.0.37 + v1.0.41 are currently not working:

{"level":"error","msg":"Error accessing OSS Index","resp_status_code":"500 Internal Server Error","time":"2022-10-18T14:13:03+02:00"}
{"error":"An error occurred: [500 Internal Server Error] error accessing OSS Index","level":"error","msg":"unexpected error in root cmd","time":"2022-10-18T14:13:03+02:00"}

I would also like to request that the command doesn't exit with error code 1, if the server cannot be reached, as this breaks pipelines. Maybe add an option to allow the command to pass if the server is returning errors or unreachable? 🤔

TheoBrigitte commented 1 year ago

Same error here

$ CGO_ENABLED=0 go list -json -m all | nancy sleuth --skip-update-check
Error: An error occurred: [500 Internal Server Error] error accessing OSS Index

For more information, check the log file at /home/theo/.ossindex/nancy.combined.log
nancy version: 1.0.41
...
$ cat /home/theo/.ossindex/nancy.combined.log
{"level":"error","msg":"Error accessing OSS Index","resp_status_code":"500 Internal Server Error","time":"2022-10-18T14:36:07+02:00"}
{"error":"An error occurred: [500 Internal Server Error] error accessing OSS Index","level":"error","msg":"unexpected error in root cmd","time":"2022-10-18T14:36:07+02:00"}
AmanChh commented 1 year ago

1046Installing nancy version v1.0.33 ... 1048Error: An error occurred: [500 Internal Server Error] error accessing OSS Index 1049 1050For more information, check the log file at /home/travis/.ossindex/nancy.combined.log 1051nancy version: 1.0.33

pablofrias commented 1 year ago

Any workaround on this until it gets fixed?

adamdecaf commented 1 year ago

Any workaround on this until it gets fixed?

Not really. We disabled nancy in our CI pipeline until this is fixed.

gedge commented 1 year ago

@ken-duck - have you seen this? 🙏

JohnStarich commented 1 year ago

I can reliably reproduce with this API request:

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:golang/github.com/IBM-Cloud/go-etcd-rules@v1.5.14"
  ]
}'

{"code":500,"message":"There was an error processing your request. It has been logged (ID 0c64132875b54062)."}

The version doesn't appear to matter. Any other public golang dependency I try appears to work.

harshavardhana commented 1 year ago

We moved away from this index to vulncheck by Go community, works like a charm.

bhamail commented 1 year ago

We're looking into the recent 500 errors from OSSIndex. So far, the errors appear to be component coordinate specific (e.g. not universal). Still digging.

bhamail commented 1 year ago

We found and fixed the problem. It was an edge case bug in a recent update to OSSIndex, and only certain components would have been affected.

Sorry for the disturbance, and special thanks to @JohnStarich for the helpful report - made it much easier to find the root cause.