CRITICAL: NexusClassSource.searchInJars() is completely broken - returns null always

[sfloess]

Severity: CRITICAL

File: NexusClassSource.java

Problem

The searchInJars() method (lines 135-152) is completely non-functional. It ALWAYS returns null because the logic is backwards and exceptions are swallowed.

Bug Analysis

Lines 135-152: Broken implementation

private byte[] searchInJars(String packagePath, String classFileInJar) throws IOException {
    String searchUrl = nexusUrl + "service/rest/v1/search?repository=" + repository + "&name=" + packagePath;

    try {
        URL url = new URL(searchUrl);
        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
        configureAuthentication(connection);
        connection.setRequestMethod("GET");

        int responseCode = connection.getResponseCode();
        if (responseCode == HttpURLConnection.HTTP_OK) {
            return null;  // ← WRONG! Returns null on SUCCESS!
        }
    } catch (IOException e) {
        // ← Swallows exception, does nothing
    }

    return null;  // Always returns null
}

Problems:

1. Line 145-146: Returns null when HTTP response is OK - backwards logic!
2. Lines 148-149: Catches IOException and silently ignores it
3. Line 151: Always returns null at end
4. Never actually searches JAR - doesn't parse response, doesn't extract class data
5. Never reads response body - connection.getInputStream() never called

Result: This method is COMPLETELY NON-FUNCTIONAL. It:

• Always returns null
• Never throws exceptions
• Never returns class data
• Silently fails on all errors

Impact on loadFromMaven()

Lines 112-133:

private byte[] loadFromMaven(String className) throws IOException {
    String packagePath = getPackagePath(className);
    if (packagePath == null) {
        throw new IOException("Cannot determine Maven coordinates for class: " + className);
    }

    String cachedKey = packagePath;
    if (jarCache.containsKey(cachedKey)) {
        return jarCache.get(cachedKey);
    }

    String simpleClassName = getSimpleClassName(className);
    String classFileInJar = ClassNameUtil.toClassFilePath(className);

    byte[] classData = searchInJars(packagePath, classFileInJar);  // ← Always null!
    if (classData != null) {  // ← Never true!
        jarCache.put(cachedKey, classData);
        return classData;
    }

    throw new IOException("Class not found in Nexus Maven repository: " + className);
}

Impact:

• searchInJars() always returns null
• loadFromMaven() ALWAYS throws IOException
• Maven mode is COMPLETELY BROKEN
• Only RAW mode works

How This Went Unnoticed

This bug proves there are NO integration tests for Maven mode. If there were any tests:

@Test
public void testLoadFromMavenRepository() throws Exception {
    NexusClassSource source = new NexusClassSource(
        "https://nexus.example.com",
        "maven-releases",
        NexusMode.MAVEN
    );
    
    byte[] data = source.loadClassData("com.example.MyClass");  // Would ALWAYS fail
    assertNotNull(data);
}

This test would immediately fail because searchInJars() always returns null.

Conclusion: Maven mode has NEVER been tested. This code has never worked.

How to Fix

Fix 1: Implement searchInJars() properly

Need to:

1. Parse Nexus search API JSON response
2. Extract JAR download URLs
3. Download JARs and search for class file
4. Return class bytecode

private byte[] searchInJars(String packagePath, String classFileInJar) throws IOException {
    String searchUrl = nexusUrl + "service/rest/v1/search?repository=" + repository + 
                      "&name=" + packagePath;

    URL url = new URL(searchUrl);
    HttpURLConnection connection = (HttpURLConnection) url.openConnection();
    configureAuthentication(connection);
    connection.setRequestMethod("GET");

    int responseCode = connection.getResponseCode();
    if (responseCode != HttpURLConnection.HTTP_OK) {
        throw new IOException("Nexus search failed: " + responseCode);
    }

    // Parse JSON response
    String jsonResponse;
    try (InputStream in = connection.getInputStream()) {
        jsonResponse = new String(in.readAllBytes(), StandardCharsets.UTF_8);
    }

    // Extract JAR URLs from response (need JSON parser)
    List<String> jarUrls = parseNexusSearchResponse(jsonResponse);
    
    // Search each JAR for the class
    for (String jarUrl : jarUrls) {
        try {
            return loadClassFromJar(jarUrl, classFileInJar);
        } catch (IOException e) {
            // Try next JAR
        }
    }

    return null;  // Not found in any JAR
}

private List<String> parseNexusSearchResponse(String json) {
    // Parse Nexus API response JSON
    // Extract "downloadUrl" fields from "items" array
    // Return list of JAR URLs
    
    // Needs proper JSON parser (Gson, Jackson, etc.)
    throw new UnsupportedOperationException("Not implemented");
}

Fix 2: Add comprehensive tests

@Test
public void testMavenMode() throws Exception {
    NexusClassSource source = new NexusClassSource(
        nexusUrl,
        "maven-releases",
        NexusMode.MAVEN,
        authConfig
    );
    
    byte[] data = source.loadClassData("org.example.TestClass");
    assertNotNull("Maven mode should load classes", data);
    assertTrue("Should return valid bytecode", data.length > 0);
}

@Test
public void testRawMode() throws Exception {
    NexusClassSource source = new NexusClassSource(
        nexusUrl,
        "raw-classes",
        NexusMode.RAW,
        authConfig
    );
    
    byte[] data = source.loadClassData("org.example.TestClass");
    assertNotNull("RAW mode should load classes", data);
    assertTrue("Should return valid bytecode", data.length > 0);
}

Required Actions

1. URGENT: Add warning to documentation that Maven mode is non-functional
2. Implement searchInJars() properly with JSON parsing
3. Add integration tests for both RAW and MAVEN modes
4. Consider removing Maven mode entirely if it's not used

Impact

Current state:

• Maven mode is completely broken
• Has never worked since code was written
• No tests caught this
• Users cannot load classes from Nexus Maven repositories

With fix:

• Maven mode actually works
• Tests prevent regression
• Users can use Nexus Maven repos

This is a BLOCKER bug - an entire mode of the class is non-functional.

[sfloess]

Fixed by deprecating MAVEN mode and directing users to MavenNexusClassSource. searchInJars() is completely broken and would require substantial work to fix. Added @deprecated annotations and documentation.