search

sonatype / nexus-public

Sonatype Nexus Repository Open-source codebase mirror
https://www.sonatype.com/products/repository-oss-download
Eclipse Public License 1.0
1.92k stars 567 forks source link

Central Sync Rules: `no-traversal-paths-in-archive-file` suddenly failing with no change to artifacts #378

Closed lauzadis closed 5 months ago

lauzadis commented 5 months ago

What problem are you trying to solve?

We've recently started seeing a rules validation error no-traversal-paths-in-archive-file: Archives must not contain insecure paths when closing our staging repository (in preparation for release).

The artifact that fails this rule has not been changed since our last successful release. Has something changed in Nexus to cause this new validation failure?

The file that fails this rule is named iotanalytics-jvm-1.1.14.pom.md5, it contains the MD5 checksum for iotanalytics-jvm-1.1.14.pom. It is not an archive and definitely doesn't contain any paths.

The full error message is: Unable to process file /aws/sdk/kotlin/iotanalytics-jvm/1.1.14/iotanalytics-jvm-1.1.14.pom.md5: null. The null message makes me thing there is some issue with Sonatype Nexus, but I'm not sure what.

Do you have a workaround you are using at present?

There's no workaround for us. We are fully blocked on publishing our artifacts.

What feature or behavior is this required for?

This is required for successfully closing and releasing our staging repositories.

How could we solve this issue? (Not knowing is okay!)

Help us by providing some more information about this validation rule, why it's failing, and how we can prevent it from failing. Is it possible to disable the MD5 checksum? There are also SHA1, SHA256, SHA512, etc. checksum files but MD5 is the only one which seems to be failing.

Tell us about your Nexus Repository deployment: what version, operating system, and database are you using?

We are using v2.15.1. I'm not sure about the OS / database.

lauzadis commented 5 months ago

Root cause: The content of /aws/sdk/kotlin/iotanalytics-jvm/1.1.14/iotanalytics-jvm-1.1.14.pom.md5 began with 07 07 02, which is the magic number for cpio crc archives, causing Sonatype Nexus to treat it like an archive when it wasn't. Fixed by bumping our SDK version to 1.1.15 (skipping 1.1.14) which results in a different MD5 checksum.

This should probably be fixed in Sonatype. This has happened to our teams 3 times in the past 2 years, so it's not uncommon as it seems.

nblair commented 5 months ago

Hi @lauzadis thanks for opening an issue. The staging capability of Nexus Repository 2 is a Pro only feature, which suggests you have a paid license and can contact Sonatype Support for support on this topic.