Skip to main content

Policy Compliant Component Selection

The DevSecOps best practice for build reliability is to specify exact versions of open source dependencies in the build manifest. A common norm for some projects is to leave the dependency versions undefined or defined as a range of versions. When the latest version has violations blocked by Repository Firewall the npm client errors without a clear path forward.

Policy-compliant component selection filters requests to prevent clients from selecting versions that violate your policies. This feature runs automatically when components are requested from quarantine-enabled proxy repositories.

Configuration for Nexus Repository 3 Pro

Prerequisites

  • IQ Server 167+ and Nexus Repository 3.61+ Pro

  • Nexus Repository 3 Pro and Repository Firewall license configured with IQ Server

  • Quarantine enabled on the npm and PyPi proxy repositories

Enable Policy Compliant Component Selection

  1. In Nexus Repository, select the proxy repository from the Repositories view under the Settings menu

  2. Check the Filter component versions that fail Sonatype Repository Firewall policy option and Save the changes.

fw-pccs-configuration.png

Configure Cache Settings

The Policy Compliant Component Selection cache may be modified in Nexus Repository to one hour or less. Here's how to set the cache:

  1. In Nexus Repository, select the proxy repository from the Repositories view under the Settings menu.

  2. Change the Maximum metadata age to 60 minutes or less and Save the changes.

Configuration for JFrog Artifactory

Prerequisites

  • Next-Gen Repository Firewall license

  • Firewall for Artifactory plugin installed

  • Quarantine enabled on the proxy repository in JFrog Artifactory

    • npm proxy repositories supported

    • Pypi proxy is not supported

Enable Policy Compliant Component Selection

In the firewall.properties configuration file for Firewall for JFrog Artifactory, add a line for each repository you want to enable Policy Compliant Component Selection:

firewall.repo.my-remote-repo=policyCompliantComponentSelection

Configure Cache Settings

Performance for Policy Compliant Component Selection can be improved by reducing the Metadata Retrieval Cache Period configuration setting in Artifactory to one hour or less.

General Info

  1. What is Policy-Compliant Component Selection?

    Policy Compliant Component Selection is a feature of the Repository Firewall that delivers the most recent policy-compliant version of a requested component when you install your dependencies. When your dependencies specify a range of versions for a dependency, this feature prevents new releases with policy violations from interrupting your development process. This is useful for applications with large dependency trees and transitive dependencies.

    Generally, automatically requesting the latest version of a dependency is not recommended.

  2. Why should I enable this feature?

    Enabling this feature can keep your projects running smoothly as Repository Firewall's Release Integrity features review each new release for malicious behavior. With Policy Compliant Component Selection, Repository Firewall reduces its impact on development while still providing maximum protection for your applications.

  3. Does Policy Compliant Component Selection only work with the Release Integrity policy?

    Policy Compliant Component Selection works for any policy set to Fail at the Proxy Stage - not just the Release Integrity policy. Failing unknown components is also not required for this feature to function. Be sure to check your auto-release settings as they complement this feature.

  4. What ecosystems are currently supported?

    npm and PyPI are currently supported for Repository Firewall.

  5. What are the minimum requirements to use this feature?

    Do not enable this feature without using the minimum version of both Nexus Repository 3 and IQ Server.

    Using the Policy Compliant Component Selection on Nexus Repository versions older than 3.38.1 and/or IQ Server versions older than 134 will result in performance issues.

    See the prerequisites above

  6. Will versions audited by Policy Compliant Component Selection show up in my Repository Results view?

    Only the versions downloaded to your repository, the versions used by Policy Compliant Component Selection will appear on the Repository Results.

    Unsupported versions of IQ Server may result in unused versions appearing on your Repository Results screen.

  7. What if there is no policy-compliant version of a package?

    You will receive a "no package found" error. This is not the same as a quarantined component.

    You will not be redirected to the Quarantined Component view.