Skip to main content

Policy Compliant Component Selection

A DevSecOps best practice for build reliability is 'version pinning' open source dependencies you bring into your environment (see npm documentation, PyPI documentation). However, a common norm for many npm projects is to leave the dependency versions undefined when added to the manifest. If the latest version has violations blocked by Repository Firewall the npm client will error without a clear path forward.

With policy-compliant component selection, RepositoryFirewall will remove quarantined versions from the requested component metadata to prevent the client from trying to select a quarantined version. This feature runs automatically when components are requested from a quarantine-enabled proxy repository. Repository Firewall will deliver policy-compliant versions within the allowable version range.

Configuration for Nexus Repository 3 Pro

Prerequisites

  • Next-Gen Repository Firewall license

  • Sonatype IQ Server 134 and Nexus Repository 3.44 Pro (npm support)

  • Sonatype IQ Server 167 and Nexus Repository 3.61 Pro (PyPI support)

  • Configure Nexus Repository 3 Pro with IQ Server

  • Quarantine enabled on the proxy repository

    • npm and PyPi proxy repositories supported

Enable Policy Compliant Component Selection

  1. Navigate to Nexus Repository 3 Pro

  2. Select theServer Administration and Settings

  3. Select Repositories

  4. Select the desired repository

  5. Check Download policy-compliant versions only

  6. Click Save

Dialog for npm proxy PCCS configuration

Configure Cache Settings

The Policy Compliant Component Selection cache may be modified in Nexus Repository to one hour or less. Here's how to set the cache:

  1. Navigate to Nexus Repository

  2. Select the Server Administration and Settings

  3. Select Repositories

  4. Select the desired repository

  5. Change the Maximum metadata age to 60 minutes or less

  6. Select Save

Configuration for JFrog Artifactory

Prerequisites

  • Next-Gen Repository Firewall license

  • Firewall for Artifactory plugin installed

  • Quarantine enabled on the proxy repository in JFrog Artifactory

    • npm proxy repositories supported

    • Pypi proxy is not supported

Enable Policy Compliant Component Selection

In the firewall.properties configuration file for Firewall for JFrog Artifactory, add a line for each repository you want to enable Policy Compliant Component Selection:

firewall.repo.my-remote-repo=policyCompliantComponentSelection

Configure Cache Settings

Performance for Policy Compliant Component Selection can be improved by reducing the Metadata Retrieval Cache Period configuration setting in Artifactory to one hour or less.

General Info

  1. What is Policy-Compliant Component Selection?

    1. Policy Compliant Component Selection is a feature of the Repository Firewall that delivers the most recent policy-compliant version of a requested component when you install your dependencies. When your dependencies specify a range of versions for a dependency, this feature prevents new releases with policy violations from interrupting your development process. This is useful for applications with large dependency trees and transitive dependencies.

    2. Generally, automatically requesting the latest version of a dependency is not recommended.

  2. Why should I enable this feature?

    1. Enabling this feature can keep your projects running smoothly as Repository Firewall's Release Integrity features review each new release for malicious behavior. With Policy Compliant Component Selection, Repository Firewall reduces its impact on development while still providing maximum protection for your applications.

  3. Does Policy Compliant Component Selection only work with the Release Integrity policy?

    1. Policy Compliant Component Selection works for any policy set to Fail at the Proxy Stage - not just the Release Integrity policy. Failing unknown components is also not required for this feature to function. Be sure to check your auto-release settings as they complement this feature.

  4. What ecosystems are currently supported?

    1. npm and PyPI are currently supported for Repository Firewall.

  5. What are the minimum requirements to use this feature?

    1. See the prerequisites above

    2. Do not enable this feature without using the minimum version of both Nexus Repository 3 and IQ Server.

    3. Using the Policy Compliant Component Selection on Nexus Repository versions older than 3.38.1 and/or IQ Server versions older than 134 will result in performance issues.

  6. Will versions audited by Policy Compliant Component Selection show up in my Repository Results view?

    1. Only the versions downloaded to your repository, the versions used by Policy Compliant Component Selection will appear on the Repository Results.

    2. Unsupported versions of IQ Server may result in unused versions appearing on your Repository Results screen.

  7. What if there is no policy-compliant version of a package?

    1. You will receive a "no package found" error. This is not the same as a quarantined component.

    2. You will not be redirected to the Quarantined Component view.