Skip to content

Fix missing sha1 digests from the maven index #693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix missing sha1 digests from the maven index #693

wants to merge 2 commits into from

Conversation

@ariel-miculas
Copy link

Following this checklist to help us incorporate your
contribution quickly and easily:

  • Your pull request should address just one issue, without pulling in other changes.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body.
    Note that commits might be squashed by a maintainer on merge.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied.
    This may not always be possible but is a best-practice.
  • Run mvn verify to make sure basic checks pass.
    A more thorough check will be performed on your pull request automatically.
  • You have run the integration tests successfully (mvn -Prun-its verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

@ariel-miculas
Sha1 hashes are not correctly identified when other hashes exist
bcff0cf 
$ mvn test
[INFO] Running org.apache.maven.index.updater.IndexDataTest
[ERROR] Tests run: 12, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.179 s <<< FAILURE! -- in org.apache.maven.index.updater.IndexDataTest
[ERROR] org.apache.maven.index.updater.IndexDataTest.testIdentify -- Time elapsed: 0.077 s <<< FAILURE!
java.lang.AssertionError: expected:<1> but was:<0>
        at org.junit.Assert.fail(Assert.java:89)
        at org.junit.Assert.failNotEquals(Assert.java:835)
        at org.junit.Assert.assertEquals(Assert.java:647)
        at org.junit.Assert.assertEquals(Assert.java:633)
        at org.apache.maven.index.AbstractRepoNexusIndexerTest.testIdentify(AbstractRepoNexusIndexerTest.java:392)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
        at java.base/java.lang.reflect.Method.invoke(Method.java:565)
        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
        at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
        at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
        at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
        at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
        at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
        at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
        at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
        at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
        at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
        at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
        at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:316)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:240)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:214)
        at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:155)
        at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:385)
        at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:162)
        at org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:507)
        at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:495)

...

[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR]   DefaultIndexNexusIndexerTest>AbstractRepoNexusIndexerTest.testIdentify:392 expected:<1> but was:<0>
[ERROR]   FullIndexNexusIndexerTest>AbstractRepoNexusIndexerTest.testIdentify:392 expected:<1> but was:<0>
[ERROR]   MinimalIndexNexusIndexerTest>AbstractRepoNexusIndexerTest.testIdentify:392 expected:<1> but was:<0>
[ERROR]   NexusIndexerTest.testIdentity:467 expected:<1> but was:<0>
[ERROR]   IndexDataTest>AbstractRepoNexusIndexerTest.testIdentify:392 expected:<1> but was:<0>
[INFO]
[ERROR] Tests run: 225, Failures: 5, Errors: 0, Skipped: 1
@ariel-miculas
Include missing sha1 digests in the index
514b4ee 
When other digest types are present in the scanned directory, such as
sha256 and sha512, the sha1 digest is not added to the maven index.

This happens because M2GavCalculator.pathToGav handles all the different
possible hashes: sha1, sha256, sha512, md5 and strips the extension,
resulting in the artifact being classified as having the '.jar'
extension. Now, in DefaultArtifactContextProducer.java, the files with
extension sha1 or md5 are not indexed so the M2GavCalculator doesn't
deal with them. But the other 2 hash types weren't ignored until now and
the M2GavCalculator took the sha256/sha512 hash files and deduced there
must also be a corresponding jar file.

In DefaultScannerListener.artifactDiscovered, the artifacts that were
already processed are skipped by this check:

if (processedUinfos.contains(uinfo)) {
    return; // skip individual snapshots
}

Given the following structure:
qdox-1.5.jar
qdox-1.5.jar.md5
qdox-1.5.jar.sha1
qdox-1.5.jar.sha256
qdox-1.5.jar.sha512

This means that if we process the file qdox-1.5.jar.sha512 before
qdox-1.5.jar, the latter will be skipped entirely. However, the
Sha1Locator cannot find the file named qdox-1.5.jar.sha512.sha1 so it
misses that the artifact qdox-1.5.jar has the sha1 hash stored in
qdox-1.5.jar.sha1, resulting in a missing sha1 hash for this artifact.

The easiest solution is to skip processing sha256 and sha512 files
entirely, as we do for sha1 and md5 files.

Related to apache#692
@ariel-miculas
Copy link
Author

@slachiewicz @olamy @cstamas Could I get some help with this PR? Is my effort of trying to fix missing SHA1 digests worth pursuing?

@cstamas
Copy link
Member

cstamas commented Jul 30, 2025

Can you elaborate more what are you trying to fix?

@ariel-miculas
Copy link
Author

I opened this issue, please let me know if you need more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slachiewicz slachiewicz slachiewicz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ariel-miculas @cstamas @slachiewicz