Nexus Repository 3 Pro Setup

Repository Firewall uses the Sonatype IQ Server to protect your development environment from risky or undesirable components. These features use open source goverence policies to prevent proxy repositories from automatically downloading components with unacceptable risk.

Prerequisites

  • Nexus Repository Pro and Repository Firewall license 

  • Nexus Repository 3 Pro

    • Required permissions:

      • Add, Edit, and Delete Capabilities; required to configure, enable, and disable the Audit feature

      • Read for Repositories; view the Firewall results column for repositories

      • For details, see the Privileges section in Security - Nexus Repository 3

  • IQ Server 

Configure the Audit and Quarantine Capability

Enable Audit and Quarantine by adding the capability to the desired proxy repository. 

  1. Navigate to Nexus Repository 3
  2. Go to the Administration main menu
  3. Click Capabilities under System
  4. Click the Create capability button
  5. Select Firewall: Audit and Quarantine
    1. Prior to release 3.54.1, this capability was named IQ: Audit and Quarantine

  6. Configure the following options:
    1. Ensure the Enable this capability box is checked. It should be checked by default
    2. Select a repository to evaluate in the Repository dropdown
    3. Click the Enable Quarantine for repository checkbox
      This setting affects only components that are added to the repository after Quarantine is enabled
      When a component is quarantined, the Nexus Repository prevents it from being served from the proxy repository

  7. Click Create capability to save the new capability for Audit and Quarantine

An audit of the repository will start when this feature is enabled.

  • Nexus Repository contacts IQ Server and evaluates the components within the selected repository against any associated policy.
  • Audited component already present in the repository are not quarantined.  This is so requests depending on these components will not fail on analysis during other stages.
  • The audit results are displayed in Firewall Report.

Firewall can quarantine newly requested components before they are downloaded to the repository. To quarantine components for a particular policy, set the Fail action on the policy at the Proxy stage.

Disabling the Audit and Quarantine Capability

Disabling quarantine will release all quarantined components to your proxy repository.  Previously quarantined components are not quarantined again. Only new components are evaluated for quarantine when quarantine is re-enabled.

To disable Audit and Quarantine:

  1. In Nexus Repository, go to the Administration main menu and click Capabilities under System.
  2. Click the Firewall: Audit and Quarantine capability for a specific repository.
    1. Prior to release 3.54.1, this capability was named IQ: Audit and Quarantine
  3. To disable Audit, click the Disable button. Note that Quarantine is disabled as well.
  4. To disable Quarantine only, deselect the Enable Quarantine for Repository check box.

  5. Click Save to save your changes or click Discard to discard them.

Grant Privileges to View Audit and Quarantine Summary Results

In Nexus Repository 3, the "nexus:iq-violation-summary:read" privilege allows you to view audit and quarantine summary results in the IQ Violations column of the Repository view. This privilege is assigned to the Nexus Repository admin role by default. If users are assigned to custom roles, this privilege needs to be added to those roles to view audit and quarantine summary results.

To grant view privileges for audit and quarantine for an existing role:

  1. Go the Administration menu
  2. Click Roles from the Security section of the sidebar
  3. Click on a role from the list
  4. Move the following privileges from the Available column to the Given column:
    1. nx-repository-view—read
    2. nexus:Iq-violation-summary:read
  5. Click Save.

To create a new role with audit and quarantine privileges:

  1. Go the Administration menu.
  2. Click Roles from the Security section of the sidebar.
  3. Click Create role.
  4. Enter a Role ID, Role name, and Role description.
  5. Move the following privileges from the Available column to the Given column:
    1. nx-repository-view—read
    2. nexus:Iq-violation-summary:read
  6. Click Create Role.

See the Privileges section in Security - Nexus Repository 3 for more information.

Viewing Repository Results From Nexus Repository Pro

When you add or delete a component to a proxy repository with Audit enabled, Nexus Repository contacts IQ Server to evaluate the components. Components are checked against any associated policies. The Firewall Report violations are summarized in Nexus Repository and detailed in IQ Server.

The Firewall Report column was previously named IQ Policy Violations prior to version 3.55.1

In Nexus Repository 3 Pro, the repository audit results are summarized in the Firewall Report column of the Repositories view.

The Firewall Report column includes the following items:

  • A count of components by their highest policy violation level
  • A count of quarantined components
  • A link to results on IQ Server

The Firewall Report column will also alert you if there are any errors in the audit and quarantine process. If there is an error a red exclamation mark will appear to the right of the Repository Results along with a description of the error. Additional information will be available in the Nexus Repository logs.

If you do not have permission to view the results summary the Firewall Report column will only display Audit Enabled or Quarantine Enabled

You can access the results from the Capabilities submenu on the Administration menu if you have permission to add capabilities in Nexus Repository.

  1. Navigate to the Capabilities page.
  2. Click Firewall: Audit and Quarantine for a specific repository.
  3. Click View Results in the Capabilities / Firewall: Audit and Quarantine status section. 

See IQ Server and Repository Results to learn more about the Repository Results.