Spring Boot jars not parsed and not scanned; build blocked

We have a very serious issue with our on-prem setup (Artifactory Pro X, with Xray): the jars with Spring Boot are not parsed, Xray does not scan them and the builds are hanging.

The hint from the log files is:

2021-02-12T08:53:11.970Z [jfrt ] [ERROR] [81ae1f002087e39 ] [o.a.s.a.ArchiveIndexerImpl:168] [art-exec-28 ] - Failed to index 'wsr-mvn-dev-local:our-jar-qualifier/1.0.1/postal-1.0.1.jar': Unexpected record signature: 0X622F2123

which seems to be related to an older issue you once had: https://www.jfrog.com/jira/browse/RTFACT-18847

It is, quite frankly, very disappointing that the old issue was never fixed (I see it marked as deferred, comments of other users ignored). I do hope this issue will get more attention from you; for us Xray is unusable and Artifactory does not have all the features we wanted.

What happens:

• we have a Bamboo build that uses the Generic Artifactory Deploy task to deploy a jar compiled with JDK 8 and Spring Boot 2;
• the deployment is ok; the jar is saved in the correct repository, however we get the error above; in Artifactory UI the content of the jar is not visible - its subtree is not opening;
• manual Xray scans on these jars are not producing any result, even though I compiled a version with some vulnerabilities in some of the dependencies;
• the build continues with a Artifactory Publish Build Info task; everything fine at this step;
• the last task is an Xray scan task; the build hangs, it is broken by Bamboo when the defined timeout is reached.

If it is needed, I can provide a copy of the jar file, however we don't do anything special in the pom.

Please let us know if you need further info, so that this bug gets fixed asap. Thank you.

 

Update: 19.02.21:

The REST API produces the same errors. This looks like a bug in Artifactory and not in Xray, as one of your support people suggested:

 

curl -X PUT "https://our-artifactory-instance/wsr-mvn-dev-local/something/postalservice/postal/1.0.1/postal-1.0.1.jar" -T /tmp/postal-1.0.1.jar -v --trace-time

{
"repo" : "wsr-mvn-dev-local",
"path" : "something/postalservice/postal/1.0.1/postal-1.0.1.jar",
"created" : "2021-02-10T19:20:24.790+01:00",
"createdBy" : "bamboo-integration",
"downloadUri" : "https://our-artifactory-instance/wsr-mvn-dev-local/something/postalservice/postal/1.0.1/postal-1.0.1.jar",
"mimeType" : "application/java-archive",
"size" : "74180537",
"checksums" :

{ "sha1" : "fcd99bf8ccdde91f76cd5a8f9339baf052c20937", "md5" : "a1315630fe977a327e599ba8f4d6a511", "sha256" : "52ab2d8e35fc9c1a403e0da02e51962d382c429cccd6b28e93b24a6b8c0caeee" }

,
"originalChecksums" :

{ "sha256" : "52ab2d8e35fc9c1a403e0da02e51962d382c429cccd6b28e93b24a6b8c0caeee" }

,
"uri" : "https://our-artifactory-instance/wsr-mvn-dev-local/something/postalservice/postal/1.0.1/postal-1.0.1.jar""
}

Artifactory logs:

2021-02-19T09:19:11.916Z [jfrt ] [INFO ] [713cda2b1ae32ce4] [o.a.s.a.ArchiveIndexerImpl:152] [art-exec-2041 ] - Indexing archive: wsr-mvn-dev-local:something/postalservice/postal/1.0.1/postal-1.0.1.jar
2021-02-19T09:19:11.961Z [jfrt ] [ERROR] [713cda2b1ae32ce4] [o.a.s.a.ArchiveIndexerImpl:168] [art-exec-2041 ] - Failed to index 'wsr-mvn-dev-local:something/postalservice/postal/1.0.1/postal-1.0.1.jar': Unexpected record signature: 0X622F2123
2021-02-19T09:20:23.881Z [jfrt ] [ERROR] [3f107c4a2ba1cf17] [.b.t.n.a.ArchiveEntriesTree:67] [27.0.0.1-8040-exec-6] - Failed to get zip Input Stream: Unexpected record signature: 0X622F2123