Skip to main content

Firewall Quarantine

The primary value of Repository Firewall is to quarantine components too risky to allow into your proxy repository without first having a security review. When a requested component violates a critical policy, the Repository Firewall will place the component into quarantine while returning an error message and report to the requester.

From the Firewall Dashboard, the security team may review the violations. In cases where the risk is either deemed acceptable or required by the development team, the violations are waived and the component is made available for download from the proxy repository.

  • Repository Firewall must first be configured with failing policies to quarantine components. Disabling the Repository Firewall will release any quarantined components.

  • In some environments, build logs may only show a 403 error message for quarantined components without providing details as to why. We recommend socializing expectations with your development teams so that they are not surprised when this happens.

  • When the service is unavailable and quarantine enabled, requests for new components are immediately placed in quarantine until they can be evaluated and released. New components will not be downloaded unless you disable the Repository Firewall on your proxy repository. We recommend consulting with support before doing this as restoring the environment after disabling quarantine may not be possible.

    The service may be unavailable due to the connection being disabled, the server being unreachable over the network, or your Repository Firewall license has lapsed.

Quarantine of components already in the proxy repository

Repository Firewall is only intended to quarantine new components that have not yet been used in your applications. This is so quarantine does not break existing builds requesting components already in use.

We recommend using Sonatype Lifecycle to enforce your critical policies in the application where they are used. Clean-up policies on the proxy repository will eventually remove the component when no longer in use.

To quarantine a component in a repository you must first delete the component from its repository. The component would be quarantined when requested and has a failing policy violation.

Quarantine configuration

Repository Firewall quarantines components when the policy violation action is set to Fail at the proxy stage. Quarantined components are not available for download through the proxy.

Changing the policy actions requires the Policy Administrator or Owner roles

  1. Log in and select Orgs and Policies

  2. Select the policy to quarantine

  3. Select the Fail radio in the Proxy column under the Actions section

  4. Select Update at the bottom of the page

To create a new policy that triggers the quarantine, see the Configuring Policies documentation.

No Action

The default action, where violations are only displayed in the audit report.

Warn

This action is used to trigger email notifications when new violations are brought into your build environment.

Fail

Quarantines any newly requested components that violate the policy.

Viewing quarantined components

Firewall places components that violate a policy with the Proxy stage set to fail in quarantine. Quarantined components are visible in the Firewall tab of IQ Server and the Repository Results view.

Firewall Dashboard

The Firewall Dashboard lists the quarantined components from all of your repositories in one place. Each component includes a link that will navigate you to the Repository Results view.

See Firewall Dashboard to learn more

Repository Results

From the Firewall configuration page, you may view the audit repo for a proxy repository configured with Repository Firewall protection.

See Repository Results view to learn more

Quarantined Component View

Individual quarantined components can be viewed in the Quarantined Component View. This view is available when you request a quarantined component from the command line.

See Quarantined Component View to learn more

Quarantine remediation

A few approaches exist to remediate policy violations when a component has been quarantined.

Select a different version

The easiest way to remediate a violation is to select a different version of the same component without the failing violation. The version graph on the Component Details Page shows information about policy violations for other versions.

Select a different component

When there is no version of the component that meets your policy standards, you may consider choosing a different component that will solve the same issue. Good component hygiene starts with selecting projects that are active in addressing security risks.

Waive the violation

When an essential component has no remediation path forward, you may choose to waive the violation and allow it into your repository. Waiving a policy violation is accepting the risk that comes with that component - it does not remove the risk. Once the vulnerable component is in your environment you may use Sonatype Lifecycle to track the risk in your applications.

Release Quarantined Components

To release a component from quarantine you must waive the failing policy violations. Components are automatically released from quarantine when the failing violations are no longer open.

  1. Navigate to the Firewall Dashboard

  2. Select a component that has been quarantined

  3. Select Policy Violations

  4. For each policy violation with the action of "Proxy Failing"

    1. Select the violation and the Add Waiver button from the violation details view

    2. Fill out the required fields and select Submit

  5. Select the re-evaluate component button to apply the Waivers

  6. The component should be released from quarantine

Repository Firewall and Time-Based Waivers

When adding a waiver against failing policy violations for Repository Firewall, the waivers used to release the component should be scoped to either the repository from which they were quarantined or using a short-lived time-based waiver. Once the waiver expires, the component will again trigger the violation. However, since it is already in the repository, it will not be quarantined.

With time-based waivers, violations do not re-occur during the time window set on the waiver. Downloading the component while waivers are in place will not cause violations during the time window.