Skip to main content

Firewall Quarantine

When a requested component violates your open-source policy, the component is put into quarantine while returning an error message and linking the component details to the requester. While the component remains quarantined in the proxy repository, it may not be downloaded through that proxy repository.

The Repository Firewall is used to quarantine components that are found too risky to allow in your development pipeline without going through a security review.

Your security team reviews the violations of quarantined components from the Firewall Dashboard. When the organization determines the introduced risk is acceptable or the components are required by the development team, the violations may be waived and the components are made available for download again through the proxy repository.

Keep the following points in mind when using quarantine for Repository Firewall:

  • Manage the quarantine configuration in the IQ Server

    Set critical policies to FAIL at the PROXY stage to quarantine components when they violate these policies. Disabling the Repository Firewall releases any quarantined components.

  • Repository Firewall only quarantines newly requested components

    Components already found in the proxy repository are audited but not quarantined. This is to avoid disruption to your build pipeline. Use Sonatype Lifecycle to manage the components used by your applications. Components that are deleted from the proxy and re-requested may end up in quarantine when they violate your policies.

  • Educate your development team on the process when something is quarantined

    In some build environments, the logs only show a 403 error message for quarantined components without details on why. We recommend socializing expectations with your development teams so that they are not surprised when this happens.

  • The quarantine service will 'fail closed' to limit risk to your proxies

    When the Repository Firewall service is unavailable and quarantine enabled, requests for new components are immediately placed in quarantine until they are evaluated and released. New components are not available for download unless the Repository Firewall is disabled on your proxy repository. Consult with Sonatype support before making this change as recovering your quarantined component may not be possible.

Quarantine Configuration

Repository Firewall quarantines components when the policy violation action is set to FAIL at the PROXY stage. Changing the policy actions requires the Policy Administrator or Owner roles in the IQ Server.

  1. Log in and select Repos and Policies

  2. Select the policy to quarantine

  3. Select the Fail radio in the Proxy column under the Actions section

  4. Select Update at the bottom of the page

Actions on the Proxy Stage

These are the actions available at the proxy stage and how they are used.

  • Fail

    Quarantines any newly requested components that violate the policy.

  • Warn

    Trigger an email notification when new components that violate this policy are brought into your build environment.

  • No Action

    The default action, where violations are only displayed in the audit report.

Viewing Quarantined Components

Quarantined components may be reviewed in the following locations:

  • Firewall Dashboard

    The Firewall Dashboard lists the quarantined components from all of your repositories in one place. Each component links you to the component in the Repository Results view.

    See Repository Firewall Dashboard

  • Repository Results

    From the Firewall configuration page, you may view the audit repo for a proxy repository configured with Repository Firewall protection.

    See Repository Results

  • Quarantined Component View

    Individual quarantined components may be viewed in the Quarantined Component View. This view is available when you request a quarantined component from the command line.

    See Quarantined Component View

  • REST API

    The REST API may be used to return a list of the quarantined components for reporting or automation in your third-party tooling.

    See Firewall REST API

Quarantine Remediation

A few approaches exist to remediate violations when a component has been quarantined.

  1. Select a different version

    The easiest way to remediate a violation is to select a different version of the same component without the failing violation. The version graph on the Component Details Page shows information about policy violations for other versions.

  2. Select a different component

    When there is no version of the component that meets your policy standards, you may consider choosing a different component that will solve the same issue. Good component hygiene starts with selecting projects that are active in addressing security risks.

  3. Waive the failing violations

    When an essential component has no remediation path forward, you may choose to waive the violation and allow it into your repository. Waiving a policy violation is accepting the risk that comes with that component - it does not remove the risk. Once the vulnerable component is in your environment you may use Sonatype Lifecycle to track the risk in your applications.

Release Quarantined Components

To release a component from quarantine you must waive the failing policy violations. Components are automatically released from quarantine when the failing violations are no longer open.

  1. Navigate to the Firewall Dashboard

  2. Select a component that has been quarantined

  3. For each policy violation with the action of "Proxy Failing"

    1. Select the violation and the Add Waiver button from the violation details view

    2. Fill out the required fields and select Submit

  4. Select the re-evaluate component button to apply the Waivers

  5. The component should be released from quarantine

Repository Firewall and Time-Based Waivers

When adding a waiver against failing policy violations for Repository Firewall, the waivers used to release the component should be scoped to either the repository from which they were quarantined or using a short-lived time-based waiver. Once the waiver expires, the component will again trigger the violation. However, since it is already in the repository, it will not be quarantined.

With time-based waivers, violations do not re-occur during the time window set on the waiver. Downloading the component while waivers are in place will not cause violations during the time window.