Policy Compliant Component Selection

NEXT-GEN FIREWALL

This feature is only available for npm repositories

Prerequisites 

The prerequisites for using this feature have changed. 


Enabling this feature without Nexus Repository Pro 3.381+ or IQ Server 134 can cause performance issues. For more information contact Sonatype Technical Support.

Summary

In npm, you can request the latest version of a package or allow a range of versions in your package.json . Blindly requesting the latest version can introduce malware, compatibility issues, and other problems to your project.  Policy Compliant Component Selection is a feature in Nexus Firewall that audits all allowable versions of a dependency and delivers the most recent policy compliant version of each dependency. This makes requesting components from a Firewall protected repository safer and more reliable. 

Policy Compliant Component Selection assesses each component for policy compliance. If a policy compliant dependency component has a transitive dependency with no compliant version, Nexus Firewall will not reassess your dependency to find a version where all dependencies adhere to your policies. In this instance you will receive a component not found error for the transitive dependency. 

This feature also only assess versions allowable in your package.json . Here are some common examples:

latest  - Firewall will deliver most recent policy compliant version.

^1.0.0  - Firewall will deliver the most recent policy compliant version for major release 1

2.3.1 - 2.0.2  - Firewall will deliver the most recent policy compliant version between version 2.3.1 and 2.0.2. 

Configuration

To enable Policy Compliant Component Selection:

  1. Navigate to Nexus Repository Pro
  2. Select the Server Administration and Settings Cog
  3. Select Repositories
  4. Select the desired repository
  5. Check Remove Quarantined Versions
  6. Click Save

NXRM configuration checkbox


See this page for more information on the Remove Quarantined Versions option.

Configure Cache Settings

Performance for Policy Compliant Component Selection can be improved by reducing the Nexus Repository cache refresh to one hour. Here's how to set the cache:

  1. Navigate to the sonatype-work directory for your instance of Nexus Repository.
  2. Locate the nexus.properties  file in the sonatype-work/nexus3/etc directory.
  3. Open the nexus.properties file with a text editor or IDE.

  4. Add the following line to the file: nexus.npm.firewall.quarantined_versions_cache_duration_hours=1

    If the configuration option already exists, change the value to 1. This will set the cache duration to one hour.


  5. Save your changes. 

Usage

This feature runs automatically when you request dependencies from a quarantine-enabled proxy repository. For example, when you run npm install . 

Firewall will then deliver policy compliant dependencies within the allowable version range. If there is no policy compliant version available for a component you will receive a component not found  error. 

 

Components quarantined by this feature are not downloaded to your repository.

Auditing all versions for requested components greatly increases the number of packages checked before downloading. This can increase the dependency install time.