When Artifactory blocks the download of an Artifactory due to an Xray policy, the HTTP response is 404: ‘Artifact download request rejected’. Additionally, the error shown in the terminal is ‘Package XYZ is not found on source ABC’.
The error occurs whether the virtual repository contains just a remote repository, just a local or both.
The expected behavior is that when Artifactory blocks the download of an Artifactory due to an Xray policy, the response should be 403: ‘Artifact download request rejected’. This is, in fact, the response when downloading Artifacts from a local repository. See screenshot below:
Steps to reproduce:
- Create Nuget virtual repository
- Add an Xray watch that blocks downloads for a given vulnerability
- Add the Artifactory virtual repository as the Nuget Source
- Using the Nuget client, install a package with a known vulnerability (that will be blocked from the previously configured Watch) from the Artifactory virtual repository.
Response from the Terminal