Policy Compliant Component Selection FAQ

General Info

  1. What is Policy Compliant Component Selection?
    Policy Compliant Component Selection is a feature of Repository Firewall that delivers the most recent policy compliant version of a requested component when you install your dependencies. When your dependencies specify a range of versions for a dependency, this feature prevents new releases with policy violations from interrupting your development process.  This is particularly useful for applications with large dependency trees and transitive dependencies.

    Automatically requesting the latest version of a dependency is not recommended as it adds unnecessary risk to an application. 

  2. Why should I enable this feature?
    Enabling this feature for npm can keep your projects running smoothly as Repository Firewall's Release Integrity features review each new release for malicious behavior. With Policy Compliant Component Selection, Repository Firewall reduces its impact on development while still providing maximum protection for your applications.

  3. Does Policy Compliant Component Selection only work with the Release Integrity policy?
    Policy Compliant Component Selection works for any policy set to Fail at the Proxy Stage - not just the Release Integrity policy. Failing unknown components is also not required for this feature to function. Be sure to check your auto-release settings as they complement this feature. 

  4. What ecosystems are currently supported?
    npm - though we're planning to expand support in the future. 

  5. What are the minimum requirements to use this feature?

    1. IQ Server Version 134

    2. Nexus Repository 3.38.1 Pro

      Policy Compliant Component Selection can be enabled on Nexus Repository versions older than 3.38.1 or when using 3.38.1 with a version of IQ Server older than 134. This will result in performance issues. Do not enable this feature without using the minimum version of both Nexus Repository 3 and IQ Server.

  6. Will versions audited by Policy Compliant Component Selection show up in my Repository Results view?
    No. Beginning in IQ 134 only the versions downloaded to your repository, the versions used by Policy Compliant Component Selection will appear on the Repository Results. Using an unsupported version of IQ Server may result in unused versions appearing on your Repository Results screen. 
  7. What if there is no policy compliant version of a package?
    You will receive a "no package found" error. This is not the same as a quarantined component. You will not be redirected to the Quarantined Component view. 

Repository Settings

  1. What does the "Remove Quarantined Versions" checkbox do?  
    This option enables Policy Compliant Component Selection. Functionally, this option tells Repository Firewall to remove quarantined versions from the npm package metadata, preventing you from requesting a version with failing policy violations. This option will eventually replace the Remove Non-Catalogued Versions option. See the technical documentation for more information. 

  2. What does "Remove Non-Catalogued Versions" do? 
    The Remove Non-Catalogued Versions option uses the Component-Unknown Policy to remove npm packages not identified by Sonatype intelligence. This protects users from supply chain attacks from unknown threats in the npm ecosystem. Check out the technical documentation on this feature for more info. 

Storage and Performance

  1. Are all versions audited for policy compliance downloaded to my proxy repository?
    No. Only versions served are downloaded and stored in your repository. 

  2. What is the storage impact of using Policy Compliant Component Selection?
    The storage impact should be minimal. Only versions served are stored in your repository. This means only one version will be downloaded to fulfill a request. Over time Nexus Repository may end up storing multiple versions of the same component, but any components not in use would be deleted by cleanup policy. 

  3. What is the performance impact? 
    There may be a performance lag when installing dependencies after this feature is enabled. Once every cache refresh (default is 72 hours), the metadata of all dependencies needs to be checked. Once this data is in your repository manager, the performance impact should be low.