Skip to main content

Release Integrity

New releases of open-source components introduce high risk to your build pipeline as they may hide malware, critical security vulnerabilities, or unapproved licenses.

Release Integrity is a collection of features in the Repository Firewall and Lifecycle that protect you from intentionally harmful components.

Suspicious and Malicious Protection

  • Machine Learning (ML) system for identifying potentially malicious new releases

  • Repository Firewall blocks dangerous releases by default

  • Protect your build pipeline from software supply chain attacks

Automatic Quarantine Release

  • Firewall automatically releases components from quarantine that no longer have failing violations

  • Automatically release suspicious components deemed safe by the Sonatype Research team

  • Reduce costs of assessing components coming into your build environment

Policy Compliant Component Selection

  • Configure your repository manager to only deliver versions without failing policy violations

  • This keeps new versions from breaking your builds or disrupting development

Prerequisites

  • A repository manager licensed with Repository Firewall protection

    • supports Nexus Repository and Artifactory

  • IQ Server version 140 or greater

  • This feature is available for Maven, npm, and PyPi

Release Integrity

When a new component or version is published, Sonatype’s AI and Machine Learning tools analyze the release and flag any component with an unusual release behavior. Releases that seem ordinary are assigned a release integrity of Normal while components flagged by our AI tools are sent to the Sonatype Research team for further review. During the review components are assigned a Suspicious Integrity Rating. Components with dangerous behavior are labeled Malicious and left in quarantine. Normal components have their Suspicious Integrity Rating changed to Normal.

Note

When the Repository Firewall license is installed, an Integrity-Rating policy is automatically created. This operation will only occur once, even if the license is installed again. The Integrity-Rating policy is configured to guard against malicious components.

This feature is designed to be used along with Repository Firewall's Automatic Quarantine Release to allow components re-assigned a normal integrity rating to be released without intervention by security teams.

Integrity-Rating Policy

The Integrity-Rating Policy looks at a component's Release Integrity Score and creates violations for components withPending or Suspicious values. These statuses are given to new components when Sonatype's machine-learning tools find anything suspicious or unusual in the release.

Release Integrity Score

Description

Unknown

  • The component is unknown to Sonatype's identity system

  • New components from public ecosystems are logged in minutes and queued for review

Pending

  • The component has been logged with Sonatype's Integrity Rating ML system for review

Suspicious

  • Signals from the component release indicate a threat

  • Validation is prioritized by Sonatype's data security team

Normal

  • The component has been assessed and appears normal

Not Applicable

  • This component is not covered by the Integrity Rating system 

Note

The Security-Malicious policy is triggered when a component is found to be malicious.  This information is from the Security Vulnerability Category and is labeled Malicious Code.

image-2023-11-10_8-15-57.png
Screenshot of Integrity Rating Policy

Testing the Integrity Rating Policy

The Sonatype data team maintains example npm and maven projects to use with testing the Integrity Rating policy with the Repository Firewall.

npm Version

Integrity Rating

"@sonatype/policy-demo" : "2.0.0"

Normal

"@sonatype/policy-demo" : "2.1.0"

Suspicious; malicious Security Vulnerability Category

"@sonatype/policy-demo" : "2.2.0"

Suspicious

"@sonatype/policy-demo" : "2.3.0"

Pending

Maven Version

Integrity Rating

pkg:maven/org.sonatype/maven-policy-demo@1.0.0

Normal

pkg:maven/org.sonatype/maven-policy-demo@1.1.0

Suspicious; malicious Security Vulnerability Category

pkg:maven/org.sonatype/maven-policy-demo@1.2.0

Suspicious

pkg:maven/org.sonatype/maven-policy-demo@1.3.0

Pending

Enable Automatic Release

Automatically releasing components from quarantine keeps your environment running smoothly and reduces the effort you need to spend managing components. We recommend allowing Automatic Release from Quarantine for Integrity Rating Policy Condition type and match state at a minimum.

To enable Automatic Release From Quarantine:

  1. Log in to the Nexus Repository

  2. Select Repository Firewall from the sidebar

  3. Select Configure on the Auto Release from the Quarantine Status card

  4. Integrity Rating should be enabled by default. If it is disabled, enable it

  5. Enable Match State and any other policy type that suits your organization

  6. Select Save Changes

187203713.png

Disable Integrity Rating

To disable protection from suspicious and malicious components, set the Integrity Rating policy to 'No Action'. Disabling this feature is not recommended as there are no use cases that justify downloading Malicious components on production repositories.