Skip to main content

Shadow Download Best Practices

Shadow downloads are third-party or open-source components retrieved from a public repository in a way that bypasses Sonatype Nexus Repository or another artifact repository manager. These components add risk to your project by adding dependencies without regular reviews and visibility. This also prevents your organization from gaining value from your repository manager by bypassing it.

To mitigate shadow downloads, consider the following recommendations.

Build Systems should only retrieve components from the artifact repository manager

Forcing builds only to use components currently cached in your Nexus Repository will act as a fail-safe to ensure that no new components are added to your projects without prior evaluation. This can be achieved by applying policies to incoming components with Sonatype Repository Firewall.

Require all developers to use Sonatype Nexus Repository.

Developers should all be required to retrieve components through your Nexus Repository instance. If it’s possible for your organization, the remote repository location should be locked to Nexus Repository for all corporate machines.

Block all downloads from public OSS repositories within your corporate network.

Only authorized sources, such as a centrally managed Sonatype Nexus Repository should be given access to download component libraries.

Control the installation and configuration of package managers on corporate-owned machines with a managed device management (MDM) solution.

The MDM will allow organizations to ensure all company laptops use package manager configurations pointing to a Sonatype Nexus Repository. It’s also possible to use this type of software to lock configuration files or receive notifications if these settings are changed.

New component or repository request process.

Create an internal process allowing development teams to request content from public repositories that is not currently available through approved means. Once approved these components can be stored in designated repositories within your repository manager.

Enable Repository Health Check.

Repository Health check will identify open-source security risks in your proxy repositories. Enabling this feature will let you monitor your components for potential security risks. Regularly checking the Repository health check can alert you to new components that bypass your normal ingress processes.

Sonatype Repository Firewall customers should enable Policies for Release Integrity (suspicious and pending) and malicious protection.

While shadow downloads bypass the Sonatype Nexus Repository, the Sonatype Firewall will act as a last line of defense as long as the build systems still go through your repositories