Component Unknown Policy
Sonatype's data service continuously learns the identity of components as they are uploaded to public repositories by the community. There is a brief window when new components have just been added and Sonatype data services has not yet learned about them.
To protect your infrastructure from using them before they are analyzed for risk, Repository Firewall may temporarily quarantine the unknown components and auto-release them once they have been reviewed.
We do this by setting the Component Unknown Policy to quarantine components with an unknown Match State and auto-release them once they're identified. This is recommended for the npm and PyPi ecosystems.
You will need to add this policy to each proxy repository or use the default policy for Unknown Components to enable this behavior to target the specific ecosystems.
Adding the Component-Unknown-Release-Integrity policy
Policy Name | Component-Unknown-Release-Integrity |
|---|---|
Threat Level | 8 Critical |
Constraints | Set 'ALL' for the conditions. Add a constraint for each supported format. |
npm format | Set condition to Match State is Unknown Set condition to Proprietary is false Set condition to Data Source has support for identity Set condition to Format is npm |
pypi format | Set condition to Match State is Unknown Set condition to Proprietary is false Set condition to Data Source has support for identity Set condition to Format is pypi |
Actions | Set the 'Action' for the 'Proxy' stage to 'Fail' |