Nexus2 Empty Trash Task leaves some proxy repo files behind

Nexus2 Empty Trash Task works great for hosted repo but leaves some proxy repo files on the server. Is it safe to forcefully remove files from the trash without using GUI? In my case, it is log4j files and I need it to be gone to avoid our security scanner picking it up. I am planning to forcefully remove it from /data/sonatype-work/nexus/storage//.nexus/attributes/.nexus/trash directory. Please let me know if this may cause any issues. Thank you in advance!

The attributes files are just small JSON files that describe metadata about components in storage, such as when they were stored, last accessed etc. So they are not a security concern. In any case, yes, you can directly remove files under the ./nexus/trash directory.

1 Like

Also, I’m guessing those files are very old. There was a bug a long time ago that could cause files to get created in that location.

1 Like

Greater Mystery: How would you explain why log4j files may reappear in proxy repo after it was deleted and nothing seems to pull it?? I can see original upload date on them as if they are coming back by themselves from 2005 download date by running find / -name “log4j-1.2.12.jar” -printf “%p %TD\n” and getting:

/data/sonatype-work/nexus/storage/apache-maven/log4j/log4j/1.2.12/log4j-1.2.12.jar 11/22/05 ← reappearing file which seems to be uploaded in 2005 originally

/data/sonatype-work/nexus/storage/apache-maven/.nexus/attributes/.nexus/trash/log4j/log4j/1.2.12/log4j-1.2.12.jar 04/04/23 ← remnants of deleted recently files

/data/sonatype-work/nexus/storage/apache-maven/.nexus/attributes/log4j/log4j/1.2.12/log4j-1.2.12.jar 04/07/23 ← attributes files are dated today at least

Am I being fooled by the download date 1/22/05 of reappearing jar file??? I cannot be 100% positive that there is no old job running which still pulls old library, but this date made me believe that this file is not pulled recently. Is the date reliable???

I really appreciate your reply as I am a new owner of Nexus2 server and trying to treat it with care (hope to upgrade to Nexus3 without incident soon). Any idea on how best to get rid of this old cached file for good???

The date of the file on your local disk will match the date of the file’s publish in Maven Central. So the 2005 date is expected here. Check the request logs, some build is requesting that file if it has reappeared since it was removed.

1 Like

Mystery solved! I see GET requests for files in question in request.log. I was checking nexus.log and did not know about request.log till now. Thank you SO MUCH for your help!!