Release Integrity
New releases of open-source components introduce high risk to your build pipeline as they may hide malware, critical security vulnerabilities, or unapproved licenses.
Release Integrity is a collection of features in the Repository Firewall and Lifecycle that protect you from intentionally harmful components.
Suspicious and Malicious Protection
Machine Learning (ML) system for identifying potentially malicious new releases
Repository Firewall blocks dangerous releases by default
Protect your build pipeline from software supply chain attacks
Automatic Quarantine Release
Firewall automatically releases components from quarantine that no longer have failing violations
Automatically release suspicious components deemed safe by the Sonatype Research team
Reduce costs of assessing components coming into your build environment
Policy Compliant Component Selection
Configure your repository manager to only deliver versions without failing policy violations
This keeps new versions from breaking your builds or disrupting development
Release Integrity
When a new component or version is published, Sonatype’s AI and Machine Learning tools analyze the release and flag any component with an unusual release behavior. Releases that seem ordinary are assigned a release integrity of Normal while components flagged by our AI tools are sent to the Sonatype Research team for further review. During the review components are assigned a Suspicious Integrity Rating. Components with dangerous behavior are labeled Malicious and left in quarantine. Normal components have their Suspicious Integrity Rating changed to Normal.
Note
When the Repository Firewall license is installed, an Integrity-Rating policy is automatically created. This operation will only occur once, even if the license is installed again. The Integrity-Rating policy is configured to guard against malicious components.
This feature is designed to be used along with Repository Firewall's Automatic Quarantine Release to allow components re-assigned a normal integrity rating to be released without intervention by security teams.
Enable Automatic Release
Automatically releasing components from quarantine keeps your environment running smoothly and reduces the effort you need to spend managing components. We recommend allowing Automatic Release for Integrity Rating Policy Condition type and match state at a minimum.
Integrity-Rating Policy
The Integrity-Rating Policy looks at a component's Release Integrity Score and creates violations for components with Pending or Suspicious values. These statuses are given to new components when Sonatype's machine-learning tools find anything suspicious or unusual in the release.
Release Integrity Score | Description |
---|---|
Unknown |
|
Pending |
|
Suspicious |
|
Normal |
|
Not Applicable |
|
Note
The Security-Malicious policy is triggered when a component is found to be malicious. This information is from the Security Vulnerability Category and is labeled Malicious Code.
Testing the Integrity Rating Policy
The Sonatype data team maintains example npm, maven, and python projects to use with testing the Integrity Rating policy with the Repository Firewall.
npm Version | Integrity Rating |
---|---|
"@sonatype/policy-demo" : "2.0.0" | Normal |
"@sonatype/policy-demo" : "2.1.0" | Suspicious; malicious Security Vulnerability Category |
"@sonatype/policy-demo" : "2.2.0" | Suspicious |
"@sonatype/policy-demo" : "2.3.0" | Pending |
Maven Version | Integrity Rating |
---|---|
pkg:maven/org.sonatype/maven-policy-demo@1.0.0 | Normal |
pkg:maven/org.sonatype/maven-policy-demo@1.1.0 | Suspicious; malicious Security Vulnerability Category |
pkg:maven/org.sonatype/maven-policy-demo@1.2.0 | Suspicious |
pkg:maven/org.sonatype/maven-policy-demo@1.3.0 | Pending |
Python Version | Integrity Rating |
---|---|
pkg:pypi/python-policy-demo@1.0.0 | Normal |
pkg:pypi/python-policy-demo@1.1.0 | Suspicious; malicious Security Vulnerability Category |
pkg:pypi/python-policy-demo@1.2.0 | Suspicious |
pkg:pypi/python-policy-demo@1.3.0 | Pending |