I'm trying to replace helm package by manually creating the tgz archives, but when I upload those tgz files to the helm repository in Nexus, I get 504 errors. If I package the exact same chart with the helm package command it works.

Both archives works fine when interacting with the helm client directly, either for helm install or helm repo index, both commands work without any problem on the manually created tgz file. It's only when I upload it to Nexus that I have issues.

After lots of investigation, I was able to create an archive that doesn't make Nexus crash without using helm package. What made it work was to add the -b 1 flag to tar when creating the archive, setting the blocksize to a smaller value than the default 20, which result in a smaller tar file. For some reason, Nexus didn't crash anymore with that flag. And I also had to only add files explicitly, adding a folder recursively made it crash as well.

Versions:

• Nexus repository helm plugin (from git tag) 0.0.13
• Sonatype Nexus Repository ManagerPRO 3.19.1-01
• helm version:
  version.BuildInfo{Version:"v3.0.1", GitCommit:"7c22ef9ce89e0ebeb7125ba2ebf7d421f3e82ffa", GitTreeState:"clean", GoVersion:"go1.13.4"}

• What are you trying to do?

I created a repository called helm_hosted which is a hosted repository using an s3 blob store.

I also tried "Rebuild index" in case that did something, it did not help this issue.

helm repo add helm-hosted https://xxxx:[email protected]/repository/helm_hosted/

Output:

Error: looks like "https://xxxx:[email protected]/repository/helm_hosted/" is not a valid chart repository or cannot be reached: failed to fetch https://xxxx:[email protected]/repository/helm_hosted/index.yaml : 404 Not Found

• What feature or behavior is this required for?

I want to publish a helm chart, but I need to add a repository to publish to first.

• How could we solve this issue? (Not knowing is okay!)

This might be a regression of 7c41668

• Anything else?

Other people seem to be using this plugin?

Not sure if this is user error, or a bug. Let me know if this is a simple fix.

We might want to update the README if the helm repo add command is incorrect in the context of using Nexus.

A lot of tools and everything I see says you need a repository first before you can release a chart. In github they have you add a blank index.yaml so the repo add command works.

I can't touch a file in Nexus to get this to work, so I am not sure if this is a bug (since it was already patched?)

I am using nexus helm repository. Using my own ssl created certificate (not signed by any authority). Charts are already deployed in helm repository using some maven helm plugin.
I added helm repository successfully(helm repo add ..) but not able to run "helm dep update" command.
Looks like same certificate is not reused by "helm dep update"

# helm version
Client: &version.Version{SemVer:"v2.14.3", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.3", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}

# helm init --service-account tiller --upgrade
$HELM_HOME has been configured at /root/.helm.

# helm repo add --ca-file=nexushelm.cer nexus-helm-repo https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo
"nexus-helm-repo" has been added to your repositories

#helm repo list
NAME            URL
stable          https://kubernetes-charts.storage.googleapis.com
local           http://127.0.0.1:8879/charts
nexus-helm-repo https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo

#  cat requirements.yaml
dependencies:
-  name: my-application
   repository: https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo
   version: 1.11.15

• What are you trying to do?
  update helm chart from hosted nexus helm repository.

• What feature or behavior is this required for?
  Not sure. May be option to specify ca-cert with "helm dep update "

• How could we solve this issue? (Not knowing is okay!)

• Anything else?
  Here is the error:

# helm dep update
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
        Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: connect: connection refused
...Successfully got an update from the "nexus-helm-repo" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete.
Saving 1 charts
Downloading my-application from repo https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo
Save error occurred:  could not download https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo/my-application-1.11.15.tgz: Get https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo/my-application-1.11.15.tgz: x509: certificate signed by unknown authority
Deleting newly downloaded charts, restoring pre-update state
Error: could not download https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo/my-application-1.11.15.tgz: Get https://<nexus_host_ip>:8443/nexus/repository/helm-release-repo/my-application-1.11.15.tgz: x509: certificate signed by unknown authority

using this image:
https://github.com/evryfs/sonatype-nexus-docker/blob/master/Dockerfile
the index is not updated.

01:57:09 Processing /charts/fsjetty
01:57:09 Successfully packaged chart and saved it to: /charts/fsjetty/fsjetty-0.6.2.tgz
01:57:09 Using cached login creds...
01:57:09 Pushing . to repo https://fsdepot.evry.com/nexus/repository/evryfs-helm//...
01:57:09   HTTP/1.1 100 Continue
01:57:09   
01:57:09   HTTP/1.1 200 OK
01:57:09   Date: Mon, 30 Sep 2019 23:57:09 GMT
01:57:09   Server: Nexus/3.19.0-01 (OSS)
01:57:09   X-Content-Type-Options: nosniff
01:57:09   Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
01:57:09   X-XSS-Protection: 1; mode=block
01:57:09   Content-Length: 0
01:57:09   Content-Type: application/x-gzip
01:57:09   

but:

NAME                    CHART VERSION   APP VERSION     DESCRIPTION                                             
evryfs-helm/fsjetty     0.6.0           9.4.x           ....

I can browse the package in right version - but metadata seems wrong

• What are you trying to do?
  I'm trying to build a sonatype/nexus3:latest container injecting this plugin.

To do that I used this Dockerfile that is mainly created starting from yours:

FROM maven:3-jdk-8-alpine AS build

ENV NEXUS_VERSION 3.13.0
ENV NEXUS_BUILD 01
ENV NEXUS_HELM_VERSION 0.0.3

ADD https://github.com/sonatype-nexus-community/nexus-repository-helm/archive/v${NEXUS_HELM_VERSION}.tar.gz /opt/

RUN tar -xvzf /opt/v${NEXUS_HELM_VERSION}.tar.gz -C /opt && \
    cd /opt/nexus-repository-helm-${NEXUS_HELM_VERSION} && \
    sed -i "s/3.13.0-01/${NEXUS_VERSION}-${NEXUS_BUILD}/g" pom.xml && \
    mvn clean package

FROM sonatype/nexus3:3.13.0
ENV NEXUS_VERSION "3.13.0"
ENV NEXUS_BUILD "01"
ENV NEXUS_HELM_VERSION "0.0.3"

ENV TARGET_DIR=/opt/sonatype/nexus/system/org/sonatype/nexus/plugins/nexus-repository-helm/${NEXUS_HELM_VERSION}/

USER root

RUN mkdir -p ${TARGET_DIR} && \
    sed -i 's@nexus-repository-maven</feature>@nexus-repository-maven</feature>\n        <feature prerequisite="false" dependency="false">nexus-repository-helm</feature>@g' /opt/sonatype/nexus/system/org/sonatype/nexus/assemblies/nexus-core-feature/${NEXUS_VERSION}-${NEXUS_BUILD}/nexus-core-feature-${NEXUS_VERSION}-${NEXUS_BUILD}-features.xml && \
    sed -i 's@<feature name="nexus-repository-maven"@<feature name="nexus-repository-helm" description="org.sonatype.nexus.plugins:nexus-repository-helm" version="0.0.3">\n        <details>org.sonatype.nexus.plugins:nexus-repository-helm</details>\n        <bundle>mvn:org.sonatype.nexus.plugins/nexus-repository-helm/0.0.3</bundle>\n        <bundle>mvn:org.apache.commons/commons-compress/1.11</bundle>\n   </feature>\n    <feature name="nexus-repository-maven"@g' /opt/sonatype/nexus/system/org/sonatype/nexus/assemblies/nexus-core-feature/${NEXUS_VERSION}-${NEXUS_BUILD}/nexus-core-feature-${NEXUS_VERSION}-${NEXUS_BUILD}-features.xml

COPY --from=build /opt/nexus-repository-helm-${NEXUS_HELM_VERSION}/target/nexus-repository-helm-${NEXUS_HELM_VERSION}.jar ${TARGET_DIR}

USER nexus

As you can see, I updated informations basing on your latest release 0.0.3 (uploaded 16 hours ago). But I had same problem also with the previous one (0.0.2)

When I run the docker image created in this way, I had this error:

2018-09-20 12:39:01,604+0000 WARN  [pool-15-thread-2]  *SYSTEM org.ops4j.pax.url.mvn.internal.AetherBasedResolver - Error resolving artifact org.apache.commons:commons-compress:jar:1.11: [Could not find artifact org.apache.commons:commons-compress:jar:1.11]
java.io.IOException: Error resolving artifact org.apache.commons:commons-compress:jar:1.11: [Could not find artifact org.apache.commons:commons-compress:jar:1.11]
	at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:720)
	at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:659)
	at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:600)
	at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:567)
	at org.apache.karaf.features.internal.download.impl.MavenDownloadTask.download(MavenDownloadTask.java:36)
	at org.apache.karaf.features.internal.download.impl.AbstractRetryableDownloadTask.run(AbstractRetryableDownloadTask.java:60)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
	Suppressed: shaded.org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact org.apache.commons:commons-compress:jar:1.11
		at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:434)
		at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:246)
		at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:223)
		at shaded.org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact(DefaultRepositorySystem.java:294)
		at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:705)
		... 12 common frames omitted
Caused by: shaded.org.eclipse.aether.resolution.ArtifactResolutionException: Error resolving artifact org.apache.commons:commons-compress:jar:1.11
	at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:444)
	at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:246)
	at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:223)
	at shaded.org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact(DefaultRepositorySystem.java:294)
	at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:705)
	... 12 common frames omitted

It seems that "someone" is looking for the package apache-commons-compress at 1.11 version. I saw that this package (in sonatype/nexus3 image) exists at 1.16 version.

Maybe I'm making some mistake but I don't know what. Could you help me?

If you need more info that can help you debugging, let me know.

• What feature or behavior is this required for?
  Sonatype Nexus 3 should start and Helm Chart repository should be available.

• How could we solve this issue? (Not knowing is okay!)
  I don't know at this stage.

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  Add helm hosted repo locally when it's empty.
• What feature or behavior is this required for?
  When adding empty helm hosted repo, it throw
  index.yaml file not exist error.
  Since there's no charts on the repo, there's no index.yaml file either.
• How could we solve this issue? (Not knowing is okay!)
  The initial process for helm hosted repo should create an empty index.yaml and don't remove the file even the repo is empty.
• Anything else?
  N/A

I'm trying to upload a provenance file as part of a helm chart and it's throwing an error. Here's what I'm doing:

curl -v --user user-automation:xxxxxxxxxxxxxx --insecure -X POST 
'https://nexustest.somedomain.com/service/rest/v1/components?repository=some-repo 
-F [email protected] 
-F [email protected]
…
< HTTP/1.1 400 Bad Request
[{"id":"*","message":"The assets 1 and 2 have identical coordinates"}]

Do you have any idea of what I'm doing wrong?

Also, should I be able to set values like helm.app_version or helm.maintainers as fields in my post?

Thanks.

Recipes should use the helper method addBrowseUnsupportedRoute(builder) which was added back in 3.1.0 (sonatype/nexus-internal#976) rather than attempt to inject the handler directly and manually add the route.

This came up before with the Go format (sonatype/nexus-internal#4354) and it was noted that most of the plugins under https://github.com/sonatype-nexus-community/ needed a similar fix. Unfortunately the incorrect approach of injecting the handler directly continues to be copy-pasted around :/

This is the warning that appears at the moment:

2020-01-27 12:55:10,305-0800 WARN  [FelixStartLevel]  *SYSTEM com.google.inject.spi.InjectionPoint -
 Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler)
 is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.
  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
2020-01-27 12:55:10,308-0800 WARN  [FelixStartLevel]  *SYSTEM com.google.inject.spi.InjectionPoint -
 Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler)
 is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.
  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
2020-01-27 12:55:10,340-0800 WARN  [FelixStartLevel]  *SYSTEM com.google.inject.spi.InjectionPoint -
 Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler)
 is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.
  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
2020-01-27 12:55:10,347-0800 WARN  [FelixStartLevel]  *SYSTEM com.google.inject.spi.InjectionPoint -
 Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler)
 is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.
  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  I am trying to use helm proxy and understood there are some similar questions posted but I still cannot figure out how to use it properly. Need a help.

• What feature or behavior is this required for?
  Issue:

...Successfully got an update from the "helm-proxy" chart repository
...Successfully got an update from the "au-jfrog-helm" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 1 charts
Downloading base from repo http://localhost:8081/repository/jfrog-proxy/
Save error occurred:  could not download http://localhost:8081/repository/jfrog-proxy/autonomic/helm/base-0.0.1-alpha.84.tgz: Failed to fetch http://localhost:8081/repository/jfrog-proxy/autonomic/helm/base-0.0.1-alpha.84.tgz : 404 Not Found
Deleting newly downloaded charts, restoring pre-update state
Error: could not download http://localhost:8081/repository/jfrog-proxy/autonomic/helm/base-0.0.1-alpha.84.tgz: Failed to fetch http://localhost:8081/repository/jfrog-proxy/autonomic/helm/base-0.0.1-alpha.84.tgz : 404 Not Found

proxy setup:

helm repo list:
NAME                 URL
helm-proxy   	http://localhost:8081/repository/jfrog-proxy/

index.yaml

apiVersion: v1
entries:
  base:
  - apiVersion: v1
    created: 2018-10-25T19:56:58.589Z
    description: A base Helm chart for Autonomic general use
    digest: 3554b5981ca4eb4f41ca1b00585be8518a83afeb962c418588aaf7c324174d61
    name: base
    urls:
    - autonomic/helm/base-0.0.1-alpha.84.tgz
    version: 0.0.1-alpha.84

requirements.yaml

dependencies:
  - name: base
    version: "^0.0.x-alpha.x"
     repository: http://localhost:8081/repository/jfrog-proxy/

• How could we solve this issue? (Not knowing is okay!)
  N/A
• Anything else?
  N/A

first
docker build -t nexus-repository-helm:0.0.2 .
then erro:
failed to update the store state of sandbox: failed to update store for object type *libnetwork.sbState: json: cannot unmarshal object into Go struct field sbState.ExtDNS of type string

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  Delete a chart from helm repository

• What feature or behavior is this required for?
  To perform clean-ups of temporary charts

• How could we solve this issue? (Not knowing is okay!)
  By implementing a delete route

• Anything else?

• What are you trying to do?
  I trying to setup the plugin.

I've added on :

nexus/latest/system/org/sonatype/nexus/assemblies/nexus-core-feature/3.8.0-02/nexus-core-feature-3.8.0-02-features.xml

The lines below as you said on your procedure.
<feature version="3.8.0.02" prerequisite="false" dependency="false">nexus-task-log-cleanup</feature> <feature prerequisite="false" dependency="false">nexus-repository-helm</feature>

When i start nexus ./nexus run
i'get the error below . I've checked the owner of the directory , the name of the directory and everything is good

Caused by: org.osgi.service.resolver.ResolutionException: Unable to resolve root: missing requirement [root] osgi.identity; osgi.identity=nexus-core-feature; type=karaf.feature; version=0; filter:="(&(osgi.identity=nexus-core-feature)(type=karaf.feature)(version>=0.0.0))" [caused by: Unable to resolve nexus-core-feature/3.8.0.02: missing requirement [nexus-core-feature/3.8.0.02] osgi.identity; osgi.identity=nexus-repository-helm; type=karaf.feature; version="[0.0.4,0.0.4]" [caused by: Unable to resolve nexus-repository-helm/0.0.4: missing requirement [nexus-repository-helm/0.0.4] osgi.identity; osgi.identity=org.sonatype.repository.nexus-repository-helm; type=osgi.bundle; version="[0.0.4,0.0.4]"; resolution:=mandatory [caused by: Unable to resolve org.sonatype.repository.nexus-repository-helm/0.0.4: missing requirement [org.sonatype.repository.nexus-repository-helm/0.0.4] osgi.wiring.package; filter:="(&(osgi.wiring.package=com.google.common.base)(version>=25.0.0))"]]]
        at org.apache.felix.resolver.ResolutionError.toException(ResolutionError.java:42)
        at org.apache.felix.resolver.ResolverImpl.doResolve(ResolverImpl.java:389)
        at org.apache.felix.resolver.ResolverImpl.resolve(ResolverImpl.java:375)
        at org.apache.felix.resolver.ResolverImpl.resolve(ResolverImpl.java:347)
        at org.apache.karaf.features.internal.region.SubsystemResolver.resolve(SubsystemResolver.java:216)
        at org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:263)
        at org.apache.karaf.features.internal.service.Deployer.deploy(Deployer.java:259)
        at org.apache.karaf.features.internal.service.FeaturesServiceImpl.doProvision(FeaturesServiceImpl.java:1176)
        at org.apache.karaf.features.internal.service.FeaturesServiceImpl$1.call(FeaturesServiceImpl.java:1074)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)
2018-09-26 15:07:37,905+0200 DEBUG [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender - BundleEvent STOPPING - org.sonatype.nexus.extender
2018-09-26 15:07:37,944+0200 INFO  [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusContextListener - Uptime: 14 seconds and 502 milliseconds
2018-09-26 15:07:37,946+0200 INFO  [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusLifecycleManager - Stop KERNEL

nexus : 3.8.0.-02
Red Hat Enterprise Linux Server release 6.6

Hi team,

Thanks for your work on this plugin.
Could you add the support of the latest 3.17?
Thanks
Nicolas

background: #48 (comment)

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?

I try to add a new Helm catalog (hosted) in Rancher but the template version is not detected in the form

• What feature or behavior is this required for?

• How could we solve this issue? (Not knowing is okay!)

• Anything else?

I use Nexus Repository Manager OSS 3.21.2. I tried to use hosted helm repo, but can't push chart to it.
I use helm-push plugin (https://github.com/chartmuseum/helm-push), it works with every helm repos i used exept Nexus helm repo.
I got error:
405 HTTP method POST is not supported by this URL

Usage of Nexus API to upload chart (#2 (comment)) is very inconvenient way in CI/CD pipelines.
Please, add the support of helm push plugin.

Hi,
question: Does the plugin also provides some groovy scripting support?

• What are you trying to do?

Creating a helm repo with support of the scripting API. E.g. something like repository.createPyPiProxy(...)

• What feature or behavior is this required for?

Creating a helm repo outside the UI

Thanks
Markus

• What are you trying to do?
  Creating a hosted Helm repository.

• What feature or behavior is this required for?
  To publish inhouse Helm Charts

• Anything else?
  Is there any plan to support hosted (and probably proxy) Helm repositories?

Step 6/15 : RUN cd /nexus-repository-helm/; sed -i "s/3.14.0-04/${NEXUS_VERSION}-${NEXUS_BUILD}/g" pom.xml; mvn clean package;
---> Running in a74dc0601fd8
[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/org/sonatype/nexus/plugins/nexus-plugins/3.14.0-04/nexus-plugins-3.14.0-04.pom
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for org.sonatype.nexus.plugins:nexus-repository-helm:0.0.7: Could not transfer artifact org.sonatype.nexus.plugins:nexus-plugins:pom:3.14.0-04 from/to central (https://repo.maven.apache.org/maven2): repo.maven.apache.org: Try again and 'parent.relativePath' points at wrong local POM @ line 19, column 11
@
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]
[ERROR] The project org.sonatype.nexus.plugins:nexus-repository-helm:0.0.7 (/nexus-repository-helm/pom.xml) has 1 error
[ERROR] Non-resolvable parent POM for org.sonatype.nexus.plugins:nexus-repository-helm:0.0.7: Could not transfer artifact org.sonatype.nexus.plugins:nexus-plugins:pom:3.14.0-04 from/to central (https://repo.maven.apache.org/maven2): repo.maven.apache.org: Try again and 'parent.relativePath' points at wrong local POM @ line 19, column 11: Unknown host repo.maven.apache.org: Try again -> [Help 2]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
[ERROR] [Help 2] http://cwiki.apache.org/confluence/display/MAVEN/UnresolvableModelException
The command '/bin/sh -c cd /nexus-repository-helm/; sed -i "s/3.14.0-04/${NEXUS_VERSION}-${NEXUS_BUILD}/g" pom.xml; mvn clean package;' returned a non-zero code: 1

Is there any installation procedure for this repository?

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  I'm trying to get information about usage Nexus as Helm Chart repository
• What feature or behavior is this required for?
  Readme fix
• How could we solve this issue? (Not knowing is okay!)
  I suppose check and fix the URL within the text "We have detailed instructions on how to get started here!"
• Anything else?

Vulnerabilities

DepShield reports that this application's usage of org.apache.tika:tika-core:1.19.1 results in the following vulnerability(s):

• (CVSS 6.5) [CVE-2018-17197] Uncontrolled Resource Consumption ("Resource Exhaustion")

Occurrences

org.apache.tika:tika-core:1.19.1 is a transitive dependency introduced by the following direct dependency(s):

• org.sonatype.nexus:nexus-plugin-api:3.15.2-01
        └─ org.sonatype.nexus:nexus-mime:3.15.2-01
              └─ org.apache.tika:tika-core:1.19.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Trying to build nexus-repository-helm plugin with the setup below, but it doesn't work. Most probably a setup issue but, as I'm not a Java developer, I can't say what's working.

Build environment: Docker container (ubuntu:18.04)
Java installed: default-jdk (openjdk version 11.0.4)
Maven installed: apache-maven-3.6.1-bin.tar.gz
mvn -v:
Apache Maven 3.6.1
Maven home: /opt/apache-maven-3.6.1
Java version: 11.04, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-amd64
OS name: "linux", version: "4.14.122-rancher", arch: "amd64", family: "unix"

I have attached the output of "mvn clean package -l mvn.log"

mvn.log

Vulnerabilities

DepShield reports that this application's usage of commons-fileupload:commons-fileupload:1.3.2 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2016-1000031] Improper Access Control

Occurrences

commons-fileupload:commons-fileupload:1.3.2 is a transitive dependency introduced by the following direct dependency(s):

• org.sonatype.nexus:nexus-rapture:3.14.0-04
        └─ org.sonatype.nexus:nexus-extdirect:3.14.0-04
              └─ org.sonatype.directjngine:directjngine:2.2.5
                    └─ commons-fileupload:commons-fileupload:1.3.2
              └─ commons-fileupload:commons-fileupload:1.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file^* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

_{* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum}

• What are you trying to do?

I'm the author of another plugin in the community currently in the process of updating the plugin to the latest version of Nexus Repository Manager (3.26.1-02).

I'm running into repeated failure to build my project only on CircleCI, relevant section:

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] org.sonatype.nexus.plugins:nexus-blobstore-google-cloud-parent 0.16.0-SNAPSHOT SUCCESS [  4.153 s]
[INFO] org.sonatype.nexus.plugins:nexus-blobstore-google-cloud SUCCESS [ 21.164 s]
[INFO] org.sonatype.nexus.plugins:nexus-blobstore-google-cloud-it 0.16.0-SNAPSHOT FAILURE [  4.945 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 44.323 s
[INFO] Finished at: 2020-08-20T21:21:01Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project nexus-blobstore-google-cloud-it: Could not resolve dependencies for project org.sonatype.nexus.plugins:nexus-blobstore-google-cloud-it:jar:0.16.0-SNAPSHOT: Failed to collect dependencies at org.sonatype.nexus.assemblies:nexus-base-template:zip:3.26.1-02 -> org.sonatype.nexus.assemblies:nexus-community-feature:xml:features:3.26.1-02 -> org.sonatype.nexus.plugins:nexus-repository-helm:xml:features:1.0.19: Failed to read artifact descriptor for org.sonatype.nexus.plugins:nexus-repository-helm:xml:features:1.0.19: Could not find artifact org.sonatype.nexus.plugins:nexus-plugins:pom:3.26.1-01 in rso-public-grid (https://repository.sonatype.org/content/groups/sonatype-public-grid/) -> [Help 1]

Note: those that can access internal Sonatype infrastructure will not see this same error; to reproduce you have to have an agent that is not authenticated to internal repositories.

• What feature or behavior is this required for?

Plugins that use the common multi-module pattern with an -it module pull in the nexus-base-template, which now references public releases of the nexus-repository-helm project.

• How could we solve this issue? (Not knowing is okay!)

I believe another release of the nexus-repository-helm to support 3.26.1-02 is required. In 4cdcb80#diff-600376dffeb79835ede4a0b285078036R52 the nxrm-version property is set to 3.26.1-01. That release is not visible to the public, only 3.26.1-02 is.

• Anything else?

It looks like master has already moved to 3.27 - is there a way to branch off of the 1.0.19 tag and publish a 1.0.19.1 tag?

Thanks!

When retrieving the index.yaml from hosted or proxy repositories, urls for entries contains only the artifact name.
The actual behaviuor should be similar to:

entries:
  <name>:
  - apiVersion: v1
    appVersion: <app-version>
    [OMITTED FOR BREVITY] 
    urls:
    - https://<host and path for chart repository>/<name>-<version>.tgz
    version: <version>

this result on helm charts repository is usually achieved using the following command:
helm repo index <local-repo-folder> --url https://<host and path for chart repository>/
This way, the index is generated prepending --url value to all charts in the urls field of the index.yaml

• What are you trying to do?
  I'm using helm plugin as hosted repository on one nexus instance.
  I also would like to download charts using http, first retrieving the index.yaml and then use (one of) the urls field to download the tar.gz file.

• What feature or behavior is this required for?
  In order to retrieve the full url to download the chart via http

• How could we solve this issue? (Not knowing is okay!)

It seems that url are generated statically by org.sonatype.repository.helm.internal.createindex.CreateIndexServiceImpl#createListOfRelativeUrls that does not take host url.
Also, it seems that there is no host configuration in the administration panel to allow also the use of proxy pass.

• Anything else?

• What are you trying to do?
  I tried to build the application with latest nexus which was 3.16.02-01 and the maven build failed on Could not find artifact commons-fileupload:commons-fileupload:jar:1.3.2.SONATYPE

Just adding to pom.xml following dependency worked (group Id, artifact ID and version)

commons-fileupload
commons-fileupload
1.3

I hope this will help also somebody who will strugle the same way as i did :).

Currently, test IndexYamlBuilderTest.testChartIndexPassedCorrectly fails when run after tests HelmRecipeTest.haEnabledProxyRepository and CreateIndexServiceImplTest.testIndexYamlBuiltEvenWhenNoAssets. I can make the test fail by running:

mvn test -Dtest=HelmRecipeTest#haEnabledProxyRepository,CreateIndexServiceImplTest#testIndexYamlBuiltEvenWhenNoAssets,IndexYamlBuilderTest#testChartIndexPassedCorrectly

in the nexus-repository-helm module. The test fails with the following exception:

[ERROR] testChartIndexPassedCorrectly(org.sonatype.repository.helm.internal.orient.metadata.IndexYamlBuilderTest)  Time elapsed: 0.173 s  <<< FAILURE!
org.mockito.exceptions.verification.WantedButNotInvoked:

Wanted but not invoked:
yamlParser.write(
    <any>,
    <Capturing argument>
);
-> at org.sonatype.repository.helm.internal.orient.metadata.IndexYamlBuilderTest.testChartIndexPassedCorrectly(IndexYamlBuilderTest.java:66)
Actually, there were zero interactions with this mock.

        at org.sonatype.repository.helm.internal.orient.metadata.IndexYamlBuilderTest.testChartIndexPassedCorrectly(IndexYamlBuilderTest.java:66)

[INFO]
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR]   IndexYamlBuilderTest.testChartIndexPassedCorrectly:66
Wanted but not invoked:
yamlParser.write(
    <any>,
    <Capturing argument>
);
-> at org.sonatype.repository.helm.internal.orient.metadata.IndexYamlBuilderTest.testChartIndexPassedCorrectly(IndexYamlBuilderTest.java:66)
Actually, there were zero interactions with this mock.

The current Dockerfile has a large number of version references that are not required.

We should try to simplify this file to remove unneeded versions args, and decrease maintenance work after each release.

Here's an example of such a file: Dockerfile example.

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  Download a chart through a Nexus Helm proxy repository. As the path is rewritten incorretly, it gives an error 404.

• What feature or behavior is this required for?
  Basic functionality.

• How could we solve this issue? (Not knowing is okay!)
  Updating the index.yaml generator to include the path from original index.yaml. (Alternatively a rewrite rule could be stored in the memory to provide access to the chart on the generated url, but that could cause other issues and harder to implement.)

• Anything else?
  Original index.yaml:

    urls:
    - charts/mariadb-3.0.3.tgz

index.yaml generated by Nexus:

    urls:
    - mariadb-3.0.3.tgz

So it's missing the charts/.

as the guide, when i try step Build with Docker,something wrong here. while step Building is ok

Downloaded from rso-public-grid: https://repository.sonatype.org/content/groups/sonatype-public-grid/org/apache/maven/surefire/surefire-junit4/2.20/surefire-junit4-2.20.jar (82 kB at 121 kB/s)
[INFO] 
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.sonatype.repository.helm.internal.metadata.ChartIndexTest
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.013 s - in org.sonatype.repository.helm.internal.metadata.ChartIndexTest
[INFO] Running org.sonatype.repository.helm.internal.metadata.IndexYamlBuilderTest
[ERROR] Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.796 s <<< FAILURE! - in org.sonatype.repository.helm.internal.metadata.IndexYamlBuilderTest
[ERROR] testChartIndexPassedCorrectly(org.sonatype.repository.helm.internal.metadata.IndexYamlBuilderTest)  Time elapsed: 0.036 s  <<< FAILURE!
org.mockito.exceptions.verification.WantedButNotInvoked: 

Wanted but not invoked:
yamlParser.write(
    <any>,
    <Capturing argument>
);
-> at org.sonatype.repository.helm.internal.metadata.IndexYamlBuilderTest.testChartIndexPassedCorrectly(IndexYamlBuilderTest.java:63)
Actually, there were zero interactions with this mock.

	at org.sonatype.repository.helm.internal.metadata.IndexYamlBuilderTest.testChartIndexPassedCorrectly(IndexYamlBuilderTest.java:63)

[INFO] Running org.sonatype.repository.helm.internal.metadata.IndexYamlAbsoluteUrlRewriterTest

[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.305 s - in org.sonatype.repository.helm.internal.security.HelmSecurityFacetTest
[INFO] 
[INFO] Results:
[INFO] 
[ERROR] Failures: 
[ERROR]   IndexYamlBuilderTest.testChartIndexPassedCorrectly:63 
Wanted but not invoked:
yamlParser.write(
    <any>,
    <Capturing argument>
);
-> at org.sonatype.repository.helm.internal.metadata.IndexYamlBuilderTest.testChartIndexPassedCorrectly(IndexYamlBuilderTest.java:63)
Actually, there were zero interactions with this mock.

[INFO] 
[ERROR] Tests run: 18, Failures: 1, Errors: 0, Skipped: 0

after exec Building, chang Dockfile "COPY --from=build /nexus-repository-helm/target/nexus-repository-helm-${HELM_VERSION}.jar ${TARGET_DIR}" to "COPY ./target/nexus-repository-helm-${HELM_VERSION}.jar ${TARGET_DIR}",build image succsesful. when i run this image,got another error container logs.

			... 12 common frames omitted
	Caused by: shaded.org.eclipse.aether.resolution.ArtifactResolutionException: Error resolving artifact org.apache.commons:commons-compress:jar:1.11
		at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:444)
		at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:246)
		at shaded.org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:223)
		at shaded.org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact(DefaultRepositorySystem.java:294)
		at org.ops4j.pax.url.mvn.internal.AetherBasedResolver.resolve(AetherBasedResolver.java:705)
		... 12 common frames omitted
2018-09-14 00:38:11,411+0000 INFO  [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusContextListener - Uptime: 50 seconds and 72 milliseconds
2018-09-14 00:38:11,414+0000 INFO  [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusLifecycleManager - Stop KERNEL

try this several times,got the same result

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  Support for secondary directory to get helm warehouse

• What feature or behavior is this required for?
  Support for secondary directory to get helm warehouse

• How could we solve this issue? (Not knowing is okay!)

• Anything else?

helm repo like this

https://burdenbear.github.io/kube-charts-mirror/

In this case, there is a problem with the method of setting the relative path before, and the real helm charts will not be obtained.

I try to pack helm plugin in nexus docker image nexus image version is 3.14.0.14 ,I pack 0.0.7 helm plugin, but when I run image something error,like maven can not download compress image
How to solve this problem?

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?

Have installed nexus-repository-helm plugin 0.0.6 on nexus repository server version 3.13.
Hosted helm repositories are working fine, so I created a proxy helm repository with
name kubernetes-charts, remote URL https://kubernetes-charts.storage.googleapis.com/
and access URL https://mynexus.mycompany.com/repository/kubernetes-charts.
To use that repo I wanted to add the access URL to my helm repo list with:
helm repo add https://mynexus.mycompany.com/repository/kubernetes-charts
but that command failed with:

Error: Looks like "https://mynexus.mycompany.com/repository/kubernetes-charts/" is not a valid chart repository or cannot be reached: Failed to fetch https://mynexus.mycompany.com/repository/kubernetes-charts/index.yaml : 404 Not Found

• What feature or behavior is this required for?

We need helm proxy to access public helm chart repositories behind our corporate proxy.

• How could we solve this issue? (Not knowing is okay!)

index.yaml should be created during creation of helm proxy repo or it should or the get request for index.yaml should be redirected to the remote URL.

• Anything else?

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  We are proxying a helm repository where the repo is relative to some host, and internally charts are relative still to the index location.

For example, assume we are proxying

https://torysinfrastructure/helm

Inside that repo is a chart in a directory
appfamily/myapp-1.0.0.tgz, such that the URL to the chart is https://torysinfrastructure/helm/appfamily/myapp-1.0.0.tgz

Therefore, when Nexus proxies this repo, the generated index.yaml for the proxy should refer to the chart as appfamily/myapp-1.0.0.tgz. Today, it reads simply myapp-1.0.0.tgz. The index builder logic in the proxy should respect the relative paths inside the repo.

• What feature or behavior is this required for?
  Helm proxy support.

• How could we solve this issue? (Not knowing is okay!)
  I will attach a PR shortly.

• Anything else?

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  Use the web page to upload the helm component

• What feature or behavior is this required for?
  web page upload helm component

• How could we solve this issue? (Not knowing is okay!)

• Anything else?

When performing a helm search, the appVersion is not returned. In our case, the version and appVersion are not the same and we're using version to track updates to the Helm chart, and our appVersion to specify the version for the deployed software.

• What are you trying to do?
  View the appVersion from a helm search.

• What feature or behavior is this required for?
  To specify the appVersion in the reults of a helm search

• How could we solve this issue? (Not knowing is okay!)
  It seems the appVersion should be included in the index.yaml

• Anything else?
  Here's a quick search and results from our private Nexus repo and my local dev of the chart.

> helm search catalog
NAME            	CHART VERSION	APP VERSION	DESCRIPTION
decipher/catalog	1.0.1        	           	A Helm chart to deploy Grey Matter Catalog
local/catalog   	1.0.1        	0.3.6      	A Helm chart to deploy Grey Matter Catalog

Hi,

This is a 'feature request'

Having an easy way to match plugin version with nexus version.

I'd like to suggest to bump the plugin version to match the nexus version.

Thanks,
Nicolas

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?

I try to use one helm repo proxy ( to https://kubernetes-charts.storage.googleapis.com/ ) but I have :
helm repo add nexusrepo http://nexus/repository/helm-stable-proxy/
helm fetch nexusrepo/mongodb
Error: Failed to fetch http://nexus/mongodb-4.3.4.tgz : 404 Not Found

• What feature or behavior is this required for?

• How could we solve this issue? (Not knowing is okay!)

Fetch is ok.

• Anything else?

I cannot create a helm repo, the helm (proxied) and helm (hosted) appear in the drop down, but when selecting any of them nothing happens.

I see this in the install log:

fgrep -i helm *|grep -v helm-operator
grep: audit: Is a directory
nexus.log:2019-07-29 09:08:15,615+0000 INFO  [fileinstall-/opt/sonatype/nexus/deploy]  *SYSTEM org.sonatype.nexus.extender.NexusBundleTracker - ACTIVATING org.sonatype.nexus.plugins.nexus-repository-helm [273]
nexus.log:2019-07-29 09:08:16,133+0000 WARN  [fileinstall-/opt/sonatype/nexus/deploy]  *SYSTEM com.google.inject.spi.InjectionPoint - Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler) is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
nexus.log:2019-07-29 09:08:16,137+0000 WARN  [fileinstall-/opt/sonatype/nexus/deploy]  *SYSTEM com.google.inject.spi.InjectionPoint - Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler) is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
nexus.log:2019-07-29 09:08:16,297+0000 WARN  [fileinstall-/opt/sonatype/nexus/deploy]  *SYSTEM com.google.inject.spi.InjectionPoint - Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler) is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
nexus.log:2019-07-29 09:08:16,303+0000 WARN  [fileinstall-/opt/sonatype/nexus/deploy]  *SYSTEM com.google.inject.spi.InjectionPoint - Method: public void org.sonatype.repository.helm.internal.HelmRecipeSupport.setBrowseUnsupportedHandler(org.sonatype.nexus.repository.view.handlers.BrowseUnsupportedHandler) is not annotated with @Inject but is overriding a method that is annotated with @javax.inject.Inject.  Because it is not annotated with @Inject, the method will not be injected. To fix this, annotate the method with @Inject.
nexus.log:2019-07-29 09:08:16,545+0000 INFO  [fileinstall-/opt/sonatype/nexus/deploy]  *SYSTEM org.sonatype.nexus.extender.NexusBundleTracker - ACTIVATED org.sonatype.nexus.plugins.nexus-repository-helm [273]

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.2 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2018-7489] Incomplete Blacklist, Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2017-17485] Improper Control of Generation of Code ("Code Injection")
• (CVSS 8.1) [CVE-2018-5968] Incomplete Blacklist, Deserialization of Untrusted Data

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.2 is a transitive dependency introduced by the following direct dependency(s):

• org.sonatype.nexus:nexus-plugin-api:3.14.0-04
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
        └─ org.sonatype.nexus:nexus-blobstore-api:3.14.0-04
              └─ com.fasterxml.jackson.core:jackson-databind:2.9.2

• org.sonatype.nexus:nexus-repository:3.14.0-04
        └─ org.sonatype.nexus:nexus-orient:3.14.0-04
              └─ com.orientechnologies:orientdb-server:2.2.36
                    └─ com.orientechnologies:orientdb-tools:2.2.36
                          └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
              └─ com.fasterxml.jackson.datatype:jackson-datatype-joda:2.9.2
                    └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of com.thoughtworks.xstream:xstream:1.4.10 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2013-7285] Improper Neutralization of Special Elements used in a Command (Command Injection)

Occurrences

com.thoughtworks.xstream:xstream:1.4.10 is a transitive dependency introduced by the following direct dependency(s):

• org.sonatype.goodies:goodies-testsupport:2.3.0
        └─ org.powermock:powermock-classloading-xstream:1.6.1
              └─ com.thoughtworks.xstream:xstream:1.4.10

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

I am reporting this bug has it can potentially create a big amount of problems for deployment. Making it possible to deploy different versions than the ones expected and failing to create new versions if helm nexus metadata is wrongly associated with file.

We faced this strange behavior recently. A file was uploaded with the wrong Chart version creating a link in the metadata for a version 1.0.0-SNAPSHOT associated with helmchart-1.5.0-SNAPSHOT.tgz

However that helmchart-1.5.0-SNAPSHOT.tgz file was rebuild and the Chart yaml was corrected with version 1.5.0-SNAPSHOT, a new upload to nexus and the file is still associated with version 1.0.0-SNAPSHOT even though inside the file the Chart is 1.5.0-SNAPSHOT, meaning this version will never get correctly published unless version 1.0.0-SNAPSHOT is removed manually from the helm index.

Current Behavior

• Helm deployments of version 1.0.0--SNAPSHOT will deploy version 1.5.0-SNAPSHOT instead, resulting in wrong version being deployed, since a deployment will use a tgz file that has different version than the one in the metadata.
• Helm version 1.5.0-SNAPSHOT fails to be created, it is wrongly associated with 1.0.0-SNAPSHOT, it will continue to update the blob of this version instead of creating a new version.
• There are no error messages, with hundreds of charts this is tricky to debug.
• Only way to fix is to manually delete the metadata for the problematic version and re-upload a new version with correct Chart yaml data and respective tgz data.

Expected Behavior

• If version in Chart yaml is different from helm nexus metadata, do not associate uploaded file with previous version.
• Throw error if Chart version is different from Helm Nexus metadata.
• Any previous version of a helm chart should not be able to point to a *.tgz file that contains a Chart yaml file with a different version.

Possible solution
On handling the upload, verify if the version of the uploaded Chart yaml matches existing nexus helm metadata version, throw error 400 Bad Request if it does not match. Update blob if it matches. Create new version if Chart yaml version does not exist in nexus helm metadata.

• What are you trying to do?
  Download a list of all charts (download /repository/helm/index.yaml file).
  There seems to be no ETag header support => file is fairly re-downloaded every time (instead of returning a 304 response code if current Etag matches the one provided by client)

• What feature or behavior is this required for?
  This may be very useful for CI automation tools: they may cache the index.yaml file on their side and only do re-download this file when there're changes. Especially may make sense for big helm repositories, where the index.yaml file size is significant.

• How could we solve this issue? (Not knowing is okay!)

1. Send ETag header within a /repository/helm/iindex.yaml response
2. Check Etag header on requests: return 304 status response with no body if request's Etag matches the current one; return 200 status code with complete contents in body otherwise.

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  upload artifacts with apiVersion v2

• What feature or behavior is this required for?
  Requirements for Helm v3 deployments in Rancher k8s environment

• How could we solve this issue? (Not knowing is okay!)
  Currently calculated index.yaml has:

  apiVersion: v1
  entries:
    <name>:
    - appVersion:

To also support v3:

apiVersion: v1
entries:
  <name>:
  - appVersion:
    apiVersion: v1/v2

This is basically what other repos do (i.e artifactory/chartmuseum etc)

• Anything else?
  Should be an easy fix in HelmAttributes :-)

Please release the version 0.0.7 (docs refer to it and looking at the commits seems it's done). Please create the Github release and corresponding git tag.

We are using the version tags in our CI process building the custom Nexus Docker image with multiple plugins installed. We can use the master branch but it's not so convenient.

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  Upgrade to nexus 3.19.1

• What feature or behavior is this required for?
  Critical CVE
  https://support.sonatype.com/hc/en-us/articles/360036132453?_ga=2.261760462.238785005.1573993762-1681672352.1562768229

• How could we solve this issue? (Not knowing is okay!)
  release a new version compatible with 3.19.1 or above

• Anything else?

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

• What are you trying to do?
  I try to use one helm repo proxy ( to https://charts.gitlab.io ) but I have :
  helm repo add nexusrepo http://nexus/repository/helm-stable-proxy/
  helm fetch nexusrepo/mongodb
  Error: Failed to fetch http://10.100.100.11/repository/helm-gitlab-charts/auto-deploy-app-0.2.4.tgz : 404 Not Found

Server-side log open DEBUG see the following log

2018-09-17 14:34:39,554+0800 DEBUG [qtp872755663-49]  *UNKNOWN org.sonatype.repository.helm.internal.proxy.HelmProxyFacetImpl - Fetching: GET https://charts.gitlab.io/auto-deploy-app-0.2.4.tgz HTTP/1.1
2018-09-17 14:34:39,555+0800 DEBUG [qtp872755663-49]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - https://charts.gitlab.io/auto-deploy-app-0.2.4.tgz > GET /auto-deploy-app-0.2.4.tgz HTTP/1.1
2018-09-17 14:34:39,555+0800 DEBUG [qtp872755663-49]  *UNKNOWN org.sonatype.nexus.internal.httpclient.SharedHttpClientConnectionManager - Connection request: [route: {s}->https://charts.gitlab.io:443][total kep
t alive: 1; route allocated: 0 of 20; total allocated: 1 of 200]

• What feature or behavior is this required for?

• How could we solve this issue? (Not knowing is okay!)

• Anything else?

There is a problem here, adding that the chart is not the official address, that is to say, the downloaded address is not the same domain name as the chart, there will be problems, for example, https://charts.gitlab.io
His index.yaml format is like this

  - created: 2018-06-15T22:48:32.992821306Z
    description: GitLab Runner
    digest: 034f08a9e6bb733e7e56b3bf2542498da75872d1e373dce70334485829f68d0e
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.23.tgz
    version: 0.1.23
  - created: 2018-06-15T22:35:02.572502983Z
    description: GitLab Runner
    digest: c82d3d98a810322bf87edf47934814e6d3f24f26f614acb1d322f6586a96d593
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.22.tgz
    version: 0.1.22
  - created: 2018-06-14T16:30:13.81292576Z
    description: GitLab Runner
    digest: be75401889b81945faa52305bf734117648513f0e7814286ed1a52e2652758a7
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.21.tgz
    version: 0.1.21
  - created: 2018-06-07T15:22:28.486461965Z
    description: GitLab Runner
    digest: d8258443107d13792875f6ae3fdb90cc4fcaabc5f83f3bbf3317143c44493b1f
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.20.tgz
    version: 0.1.20
  - created: 2018-06-06T14:26:15.253296358Z
    description: GitLab Runner
    digest: 3bf24c26fc9cc64bb6d860fccba99672e90445dab5ce1d745115042615759b6f
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.19.tgz
    version: 0.1.19
  - created: 2018-05-30T10:35:21.5443457Z
    description: GitLab Runner
    digest: 540bf4756d198ae75824e733a3d1740cf37464d9ec33e80f62e0097ad2453e26
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.18.tgz
    version: 0.1.18
  - created: 2018-05-25T17:47:52.665684883Z
    description: GitLab Runner
    digest: 88886a71b1ec6065117bda3341f3c4f0bbe2360fad8a22c6d8a8dbcd3c7db880
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.17.tgz
    version: 0.1.17
  - created: 2018-05-21T14:12:40.310853577Z
    description: GitLab Runner
    digest: 06fd24339ed112b961e79d40f4509efd350c2bb5d3ed66b214ce28f067b07aea
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.16.tgz
    version: 0.1.16
  - created: 2018-05-18T13:13:54.657084419Z
    description: GitLab Runner
    digest: 6ac756566fbbfebd7b49f18e61357747c28424eec9ac1a2aa295f475bd0f4e94
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.15.tgz
    version: 0.1.15
  - created: 2018-05-18T12:12:35.192390219Z
    description: GitLab Runner
    digest: 3eb963ee322434e56bb0b9878476a1a734e9b1dce26901a96c1dff8ee16f4e1b
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.14.tgz
    version: 0.1.14
  - created: 2018-05-15T12:09:04.553132449Z
    description: GitLab Runner
    digest: 82192920f22fd497b5fe08556a2af6ad41b024950c46f69376003adc9dbd1102
    icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
    keywords:
    - git
    - ci
    - deploy
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - email: [email protected]
      name: DJ Mountney
    name: gitlab-runner
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-runner/
    - https://docs.gitlab.com/runner/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/gitlab-runner-0.1.13.tgz
    version: 0.1.13
  kubernetes-gitlab-demo:
  - apiVersion: v1
    created: 2018-05-10T08:51:48.195111007Z
    description: GitLab running on Kubernetes suitable for demos
    digest: e41d0aef3616687c4327f9d447d5132bc7325cb1e5f380591a40496462441ab8
    home: https://about.gitlab.com
    icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png
    keywords:
    - git
    - ci
    - cd
    - deploy
    - issue tracker
    - code review
    - wiki
    maintainers:
    - email: [email protected]
      name: GitLab Inc.
    - name: Mark Pundsack
    - name: Jason Plum
    - name: DJ Mountney
    name: kubernetes-gitlab-demo
    sources:
    - https://hub.docker.com/r/gitlab/gitlab-ce/
    - https://docs.gitlab.com/omnibus/
    urls:
    - https://gitlab-charts.s3.amazonaws.com/kubernetes-gitlab-demo-0.1.29.tgz
    version: 0.1.29
generated: 2018-08-28T22:30:11.426662552Z