Skip to main content

Waivers with Firewall

Waiving Violations & Repository Firewall

Sonatype Repository Firewall blocks components with known and suspected risks from automatically entering through your proxy repositories. Open-source components already released into the proxies are audited without blocking them from being used to ensure production builds continue to run. Control over how components are managed inside of applications is a feature of the Sonatype Lifecycle.

Waiver Scope

Waivers for policy violations can be applied either narrowly or broadly. The scope of a policy waiver refers to the components, organizations, or repositories that it affects. A waiver has the potential to be very specific or very broad. For instance: You can create a very specific waiver for a single component in a single repository. Alternatively, If a violation’s scope applies to your entire organization, you can create a general waiver that applies to all repositories. The next sections cover the waiver scopes available in the Repository Firewall.

Root Scope

The Root Organization Scope means that a policy applies to all applications and organizations – in short everything that is monitored by Sonatype Lifecycle. Blocking a component in the Proxy Stage at the Root level identifies a component that is too risky to use by any application.

Applying a waiver at the Root level waives the violation for all repositories, all organizations, and all applications. This is a good option for components with policy violations that do not impact any of your applications.

Note

Waivers at the root scope will apply across all Stages in the Sonatype Lifecycle.

Diagram of Root Waiver allowing component into all repositories.

Repository Scope

The Repository Waiver Scope will allow a component into the repository that tried to proxy it. This is useful for violations that do not apply to all applications requesting components from that specific repository. One example might be a proxy repository only used by internal projects that might allow components with more restrictive licenses.

Infographic of repository specific waiver's impact on component requests.

The Repository Scope is also useful for customers using Sonatype Lifecycle. Waivers applied to the repository level only apply to the Proxy Stage. This allows Sonatype Lifecycle to enforce policy at other stages of your development process. This is useful for components you want to allow into your development environment but prevent from entering your production applications.

Diagram of a component with a repository scope and additional lifecycle policy enforcement

Waiving A Violation

To waive a violation on a quarantined component:

  1. Log into the IQ Server and Select the Firewall view

  2. Select a component that has been quarantined

  3. Go to the Policy view in the Component Details Page

  4. Select the Policy Violation

  5. Select Manage Waivers

  6. Select Add Waiver

  7. Select the waiver scope

    Firewall Waiver screen

    1. Select if the violation should apply to a specific repository or the Root Organization

    2. Select if the waiver should apply to the specific component or all instances of that policy violation

  8. Select Waive