Release Integrity
New releases of open-source components introduce high risk to your build pipeline as they may hide malware, critical security vulnerabilities, or unapproved licenses.
Release Integrity is a collection of features in the Repository Firewall that protect you from intentionally harmful components.
Suspicious and Malicious Protection
Machine Learning (ML) system for identifying potentially malicious releases
Repository Firewall blocks dangerous releases by default
Protect your build pipeline from software supply chain attacks
Automatic Quarantine Release
Firewall automatically releases components from quarantine that no longer have failing violations
Automatically release suspicious components deemed safe by the Sonatype Research team
Reduce costs of assessing components coming into your build environment
Policy Compliant Component Selection
Configure your repository manager to only deliver versions without failing policy violations
This keeps new versions from breaking your builds or disrupting development
Release Integrity
When an open-source component or new version is published, Sonatype’s AI and Machine Learning tools analyze the release and flag it when detecting unusual release behavior. Typical releases are assigned a normal rating while flagged components are sent to the Sonatype Research team for detailed review. During this review, components are assigned a Suspicious Integrity Rating to be temporarily quarantined. Components discovered with dangerous behavior are labeled Malicious and left in quarantine. Components have their Integrity Rating updated to Normal after passing the review process.
Note
The Integrity-Rating policy is automatically created when the Repository Firewall license is installed. This operation only occurs once, even if the license is installed again. The Integrity-Rating policy is configured to guard against malicious components.
This feature is designed to be used along with Repository Firewall's Automatic Quarantine Release to allow components re-assigned a normal integrity rating to be released without intervention by security teams.
Enable Automatic Release
Automatically releasing components from quarantine keeps your environment running smoothly and reduces the needed effort managing components. We recommend allowing Automatic Release for Integrity Rating Policy Condition type and match state at a minimum.
Integrity-Rating Policy
The Integrity-Rating Policy looks at a component's Release Integrity Score and creates violations for components with Pending or Suspicious values. These statuses are given to new components when Sonatype's machine-learning tools find anything suspicious or unusual in the release.
Release Integrity Score | Description |
|---|---|
Unknown |
|
Pending |
|
Suspicious |
|
Normal |
|
Not Applicable |
|
Managing the Integrity-Rating Policy
The Integrity-Rating Policy is set using the following constraints. The action is set to Fail on the Proxy stage.
Pending integrity rating - is in violation if the following is true:
Integrity RatingisPendingSuspicious integrity rating - is in violation if the following is true:
Integrity RatingisSuspicious
Security Malicious Policy
The Security-Malicious policy is also triggered when a component is found to be malicious. This information is from the Security Vulnerability Category and is labeled Malicious Code.
Sample Vulnerable Components
The Sonatype data team maintains sample malicious components for npm, maven, and python projects to use in testing the Integrity Rating policy with the Repository Firewall. These components are not vulnerable in any way but will result in policy violations when used in an application analysis or when requested through the Repository Firewall.
npm Version | Integrity Rating |
|---|---|
"@sonatype/policy-demo" : "2.0.0" | Normal |
"@sonatype/policy-demo" : "2.1.0" | Suspicious; malicious Security Vulnerability Category |
"@sonatype/policy-demo" : "2.2.0" | Suspicious |
"@sonatype/policy-demo" : "2.3.0" | Pending |
Maven Version | Integrity Rating |
|---|---|
pkg:maven/org.sonatype/maven-policy-demo@1.0.0 | Normal |
pkg:maven/org.sonatype/maven-policy-demo@1.1.0 | Suspicious; malicious Security Vulnerability Category |
pkg:maven/org.sonatype/maven-policy-demo@1.2.0 | Suspicious |
pkg:maven/org.sonatype/maven-policy-demo@1.3.0 | Pending |
Python Version | Integrity Rating |
|---|---|
pkg:pypi/python-policy-demo@1.0.0 | Normal |
pkg:pypi/python-policy-demo@1.1.0 | Suspicious; malicious Security Vulnerability Category |
pkg:pypi/python-policy-demo@1.2.0 | Suspicious |
pkg:pypi/python-policy-demo@1.3.0 | Pending |