Classic Firewall
Classic Firewall is in extended maintenance. Users need to switch to the Repository Firewall. This walk-through is the steps needed to make the switch.
Install the Repository Firewall license
Install the Repository Firewall license
A new tab named ‘Firewall’ is on the left navigation menu
Review details on Repository Firewall features for a complete list of capabilities
Enable Repository Firewall features
These policies will need to be added to benefit from Repository Firewall features
Add the Integrity-Rating policy
Add the Component Unknown Policy
Configure policy-compliant component selection
To configure the policy-compliant component selection, follow the instructions outlined in the Policy Compliant Component Selection.
It is recommended to be turned on for npm and PyPI proxy repos.
Complete the Repository Firewall Guided Setup to turn on the capability for repositories automatically.
Add the Integrity-Rating policy
Go to 'Orgs and Policies' and add the policy ‘Integrity-Rating’ if it is not already present.
Use the following table for configuration values:
Policy Name | Integrity-Rating |
|---|---|
Threat Level | 9 Critical |
Legacy Violations | Uncheck Legacy Violations |
Inheritance | Inherit policy to 'All Applications and Repositories' |
Constraints | Add the following constraints |
Set condition to Integrity Rating is Pending | |
Set condition to Integrity Rating is Suspicious | |
Actions | Set the 'Action' for the 'Proxy' stage to 'Fail' |
Component Unknown Policy
Sonatype's data service continuously learns the identity of components as they are uploaded to public repositories by the community. There is a brief window when new components have just been added and Sonatype data services has not yet learned about them.
To protect your infrastructure from using them before they are analyzed for risk, Repository Firewall may temporarily quarantine the unknown components and auto-release them once they have been reviewed.
We do this by setting the Component Unknown Policy to quarantine components with an unknown Match State and auto-release them once they're identified. This is recommended for the npm and PyPi ecosystems.
You will need to add this policy to each proxy repository or use the default policy for Unknown Components to enable this behavior to target the specific ecosystems.
Adding the Component-Unknown-Release-Integrity policy
Policy Name | Component-Unknown-Release-Integrity |
|---|---|
Threat Level | 8 Critical |
Constraints | Set 'ALL' for the conditions. Add a constraint for each supported format. |
npm format | Set condition to Match State is Unknown Set condition to Proprietary is false Set condition to Data Source has support for identity Set condition to Format is npm |
pypi format | Set condition to Match State is Unknown Set condition to Proprietary is false Set condition to Data Source has support for identity Set condition to Format is pypi |
Actions | Set the 'Action' for the 'Proxy' stage to 'Fail' |