-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Affects Version/s: 7.11.5
-
Fix Version/s: 7.37.13
-
Component/s: Artifactory
-
Labels:None
-
Environment:
Artifactory (7.11.5) and Xray (3.10.3) running on separate GCP machines, Nuget client on mac.
-
Severity:High
Problem description:
When Artifactory blocks the download of an Artifactory due to an Xray policy, the HTTP response is 404: ‘Artifact download request rejected’. Additionally, the error shown in the terminal is ‘Package XYZ is not found on source ABC’.
The error occurs whether the virtual repository contains just a remote repository, just a local or both.
Expected behavior:
The expected behavior is that when Artifactory blocks the download of an Artifactory due to an Xray policy, the response should be 403: ‘Artifact download request rejected’. This is, in fact, the response when downloading Artifacts from a local repository. See screenshot below:
Steps to reproduce:
- Create Nuget virtual repository
- Add an Xray watch that blocks downloads for a given vulnerability
- Add the Artifactory virtual repository as the Nuget Source
- Using the Nuget client, install a package with a known vulnerability (that will be blocked from the previously configured Watch) from the Artifactory virtual repository.
HTTP Response:
Response from the Terminal
- relates to
-
RTFACT-13797 Artifactory return 403 instead of 404 for non-existing artifacts in virtual repositories.
- Done