Component Unknown Policy
Sonatype's data service continuously learns the identity of components as they are uploaded to public repositories by the community. There is a brief window when new components have just been added and Sonatype data services has not yet learned about them.
To protect your infrastructure from using them before they are analyzed for risk, Repository Firewall can quarantine the unknown components and auto-release them once they have been reviewed.
The Repository Firewall can block components with an unknown Match State and auto-release them once they're identified. This is recommended for npm and PyPi.
You will need to add or use the default policy for Unknown Components to enable this behavior.
Create a policy with the condition: Match State is Unknown
Add a condition to restrict this behavior to npm and PyPi the condition: Component Format is npm/PyPI
Set the Actions field to Fail at the proxy stage
Adding the Component-Unknown-Release-Integrity policy
Policy Name | Component-Unknown-Release-Integrity |
|---|---|
Threat Level | 8 Critical |
Constraints | Add a constraint for each supported format. Set 'all' for the conditions. |
Set condition to Format is npm Set condition to Match State is Unknown Set condition to Proprietary is false Set condition to Data Source has support for identity | |
Set condition to Format is pypi Set condition to Match State is Unknown Set condition to Proprietary is false Set condition to Data Source has support for identity | |
Actions | Set the 'Action' for the 'Proxy' stage to 'Fail' |