Skip to main content

Quarantined Component View

Components are most often quarantined when a developer, or application build, requests a component from the proxy repository for the first time. Their build tool will receive a 403 error when the component is not downloaded. The error code provides details of the quarantine and a link to the Quarantined Component View.

Quarantined Component View is a temporary page with details of the quarantined component, a list of the violations, and offers potential remediation solutions. This view is available for 12 hours from the time the component is first requested.

113248445.png

Accessing the View

Repository Firewall creates the view when a user requests a quarantined component. This link is available in their build output.

CLI showing report link
Disabling Anonymous Access

By default, the Quarantined Component View link does not require authentication to view. This simplifies access for engineers who may not be allowed to log into the Firewall Dashboard. The information on this page is limited and the length of time it is accessible is relatively short, so there is little risk of exposing secured data.

However, we do recommend disabling anonymous access when your service is accessible to users outside of your organization or is reachable through the public internet.

Disable anonymous access using the Repository Firewall REST API.

Viewing the quarantined components

The quarantined component view provides detailed information about the requested component including its policy violations and remediation strategies. It includes the following sections:

  • Overview - This section indicates that the requested component has been quarantined.

  • Component Overview - The title of the section is the component name. The rest of the section provides information on the component's current status, including the First Quarantined Date and Other Allowed Versions in the Repository

  • Risk Remediation - This tab provides information to remediate the violations causing quarantine. The Recommended Versions section suggests versions without failing policy violations. Versions with no policy violations and versions without policy violations for direct dependencies are both suggested as possible alternatives. This section also includes a Version Explorer which allows you to compare versions visually.

    The Risk Remediation section of the report
  • Policy Violations Causing Quarantine - This section lists the failing violations. When upgrading a component is not available you will need to receive a waiver for all policies listed to use the component.

    155615608.png
  • Other Allowed Versions - This section lists other allowed versions already present in your repository. These versions are not quarantined and can be downloaded without issue. Substituting the requested version with a version listed in this section is a potential alternative to a waiver request.

    189432136.png