Wrong package returned by the OData call

In my company we use Nexus as a package manager for private nuget packages. Recently we introduced Github Dependabot integration for scanning & updating the packages.

For some unknown reason, packages listed in the Nexus repos cannot be updated. In the logs I found information that dependabot can’t find newer version, even if it exists in the Nexus repository.

For example, Dependabot tries to call:
https://nexus.company.com/repository/repository-hosted/v3/query/0?q=Company.3rdParty.XYZ

In the response, Nexus returns information about totally different package, without any info about the target library.

{
“totalHits”: 1,
“data”: [{
“id”: “Company.otherlibrar”,
“version”: “1.0.0”,
“versions”: [{
“version”: “1.0.0”,
“downloads”: 0,
“@id”: “https://nexus.company.com/repository/repository-hosted/v3/registration/company.otherlibrar/1.0.0.json”
}],
“registration”: “https://nexus.company.com/repository/repository-hosted/v3/registration/company.otherlibrary/index.json”,
“summary”: “Templates to use when creating an applications.”,
“verified”: false
}]
}

I tried to rebuild indexes and cache, no result.

What can be wrong?

@lukasz.pyrzyk , thanks for writing in, that’s interesting. The ‘q’ parameter is just a general search query, it’s not specifically asking only for the package of interest. For that, I would expect to see a query with an id parameter in it:
https://nexus.company.com/repository/repository-hosted/v3/query/0?q=id:Company.3rdParty.XYZ

Without that, a search for q=foo could easily turn up all sorts of other packages that happen to have ‘foo’ in the name (or possibly even other attributes, like the description).

Having said that, I would expect that you should at least get all the versions of Company.3rdParty.XYZ in your results.

Out of curiosity, could you try the id: version of the query, does that produce what you expect?

But regardless, it would be helpful to know your context. What version of Repository is this, and what database are you running against? (OrientDB, PostgreSQL, or H2?) Is this an HA cluster? There are slightly different search implementations involved.

Hello @mprescott and thank you for taking a look on the issue.

I tried to reproduce the problem and i was not able to do so. However, i have a repro of a very similar problem - returning invalid version for the package.

When i perform a query like:

https://nexus.company.com/repository/repository-hosted/v3/query/0?q=Company.3rdParty.XYZ&prerelease=true&semVerLevel=2.0.0

I get the following response, with information that the latest version of the package is 4.23.0 - which is out of dated for a very long time. The library is available at 9.14.0 stable and 9.15 beta.

combined1408×1252 48.9 KB

However, when i follow the registration url for that package I see all versions, and information that the latest is 9.15 beta. Endpoint looks like: https://nexus.company.com/repository/repository-hosted/v3/registration/Company.3rdParty.XYZ/index.json

Why 4.23.0 is presented in the query endpoint? We also noticed that the value changes from time to time when we rebuild the repository index.

When it comes to our repository, we use OSS 3.47.1-01 with OrientDb running on Windows Server 2012 R2

EDIT:

after rebuilding index for 6th or 7th time from two different accounts we were able to get the latest version returned from the endpoint, so it looks like a caching problem.

If you haven’t ensure you’re running the latest version of Nexus, I recall there have been bugs that were fixed in NuGet search.

Hi @mpiggott @mprescott ,

we updated to the latest version (3.54.1-01). The version returned was still fine, but then we rebuilt the index and again, from properly reporting version 9.14.0, the query endpoint started returning 4.23.0.

So it looks like the problem still exist, even in the latest release.

How can we investigate it further?