Automatic Quarantine Release

Requirements

Summary

The Repository Firewall page is used to view and manage components across all repositories with quarantine enabled.  The component risk is determined when the component is first requested in those repositories.

Repository components can be automatically released from quarantine for certain policy condition types.  Auto release monitors new component information for recently quarantined components.  If new component information clears all policy violations that caused the quarantine (fail action), the component is automatically released from quarantine.

New Policy Definition

When the Repository Firewall license is installed, an Integrity-Rating policy is automatically created.  This operation will only occur once, even if the license is installed again.  The Integrity-Rating policy is configured to guard against malicious components.

Auto Release Quarantine Configuration

The purpose of auto release from quarantine is to continually monitor recently quarantined repository components and automatically release them back into the development lifecycle as soon as possible.  Configuration is found on the Quarantine and Auto Release from Quarantine dashboard.

Requires Edit IQ elements permission at Repositories level.

Policy Condition Types Supporting Auto Release

Policy violations are triggered by specific conditions defined in the policy.  The condition types used to correlate to component information.

The policy condition types which can be enabled for monitoring with auto release from quarantine are:

  • Integrity Rating (Enabled by default)
  • License
  • License Threat Group
  • Match State
  • Security Vulnerability Severity
  • Security Vulnerability Category

By default, the Integrity Rating policy condition type is enabled for auto release.

Block Unknown Components 136

Repository Firewall can block components with an unknown match state and automatically release them once they're identified. This is recommended for npm and PyPi. To enable this behavior:

  • Create a policy with the condition: Match State is Unknown
    policy condition match state
  • Add a condition to restrict this behavior to npm and PyPi the condition: Component Format is npm/pypi
    policy condition component format configuration
  • Set the Actions field to Fail at the proxy stage 

Auto Releasing Components

Auto release of a quarantined component occurs when the component data changes, within a reasonable time frame, which clears all policy violations that caused the quarantine (fail action).  Once there are no longer any violations keeping the component in quarantine, the component is automatically released from quarantine without user intervention.  This allows the component to be consumed from the underlying repository.

The short time frame of the data change is a prerequisite for a component to be automatically released.  If a component remains in quarantine for an extended period, then the value of releasing that component drops dramatically, since a different component is probably in place, or the component isn’t required.

The component information having a higher likelihood of being changed in a reasonable time frame are license and security information.  Further research can result in the component data being updated, whereby the initial quarantined policy violations would be cleared.

Repository components are checked for changes to policy violations on a nightly basis. They will be automatically released if no violations exist. Auto release from quarantine only evaluates components that have been quarantined in the past 2 weeks on a nightly basis. 

NEW IN RELEASE 152

The auto release task runs hourly by default. The schedule interval can be configured using the automaticQuarantineReleaseTimeIntervalInMinutes property of Configuration REST API - v2.

Quarantine

The quarantine page displays a summary and details for all repository components which are currently in quarantine.  By default, the results are sorted by the most recently quarantined component.

Requires the View IQ elements permission at Repositories level.


Quarantine Header

The top of the Quarantine page displays the number of components being monitored in quarantine enabled repositories.  When there are no repositories with quarantine enabled, Repository Firewall is not enabled.

Quarantine Dashboard

The quarantine dashboard displays information pertinent to quarantined components and shows the repository configurations.  The dashboard includes:

  • Quarantine Status - Repositories with quarantine enabled
  • Auto Release from Quarantine Status -  Summary and configuration of policy condition types enabled for auto release from quarantine.
  • Quarantine - Components quarantined
  • Auto Released from Quarantine - Components auto released from quarantine in the current month

Quarantined Component Results

The quarantine results contain repository components currently in quarantine across all repositories.  The results are navigated using page controls to load different results.  The results are comprised of:

  • Threat - Threat level of the highest policy violation
  • Policy - Policy name of the highest policy violation
  • Quarantine Date - Date the component was quarantined
  • Component - Component quarantined in a repository
  • Repository - Repository the component belongs to

Clicking on a row of the table will display the Component Information Panel for that component.

Auto Release from Quarantine

The Auto Release Quarantine page displays a summary and details for all repository components which have been auto released from quarantine.  It is accessed from the Quarantine page dashboard.  The results do not include components that have been manually released from quarantine.  By default, the results are sorted by the most recently released component.


Manually Trigger Automatic Release 136

The Re-Evaluate Repository option in the Repository Results Screen will trigger the automatic quarantine release. This will release all components eligible for Automatic Release - not only components blocked by release integrity. 

Auto Release Quarantine Dashboard

The auto release quarantine dashboard displays information pertinent to auto released components and shows the repository configurations.  The dashboard includes:

  • Auto Released (Month to Date) - Components auto released from quarantine in the current month
  • Auto Released (Year to Date) - Components auto released from quarantine in the current year
  • Auto Release from Quarantine Status - Summary and configuration of policy condition types enabled for auto release from quarantine. 

Auto Released Component Results

The auto release quarantine results contain repository components across all repositories which were auto released from quarantine.  The results are navigated using page controls to load different results.  The results are comprised of:

  • Component - Component quarantined in a repository
  • Quarantine Date - Date the component was quarantined
  • Repository - Repository the component belongs to
  • Date Cleared - Date the component was automatically released from quarantine

Clicking on a row of the table will display the Component Information Panel for that component. Clicking on the Refresh button on the top of the table will refresh the results and will respect any filtering or sorting already applied to the results.