Policy Compliant Component Selection

A DevSecOps best practice for build reliability is 'version pinning' open source dependencies you bring into your environment (see npm documentation).  However, a common norm for many npm projects is to leave the dependency versions undefined when added to the manifest.  If the latest version has violations blocked by Repository Firewall the npm client will error without a clear path forward.

With policy-compliant component selection, Repository Firewall will remove quarantined versions from the requested npm metadata to prevent the client from trying to select a quarantined version.  This feature runs automatically when components are requested from a quarantine-enabled proxy repository.  Repository Firewall will deliver policy-compliant versions within the allowable version range.

Configuration for Nexus Repository 3 Pro

Prerequisites

  • Next-Gen Repository Firewall license
  • IQ Server version 134 and greater
  • Nexus Repository 3.44 Pro and greater
  • Configure Nexus Repository 3 Pro with IQ Server
  • Quarantine enabled on the npm proxy repository

Enable Policy Compliant Component Selection

  1. Navigate to Nexus Repository 3 Pro
  2. Select the Server Administration and Settings Cog
  3. Select Repositories
  4. Select the desired repository
  5. Check Download policy compliant versions only
  6. Click Save


See this page for more information on the Download policy compliant versions only option.

Configure Cache Settings

Performance for Policy Compliant Component Selection can be improved by reducing the Nexus Repository cache refresh to one hour or less. Here's how to set the cache:

  1. Navigate to Nexus Repository
  2. Select the Server Administration and Settings Cog
  3. Select Repositories
  4. Select the desired repository
  5. Change Maximum metadata age to 60 minutes or less
  6. Click Save

Configuration for JFrog Artifactory

Prerequisites

  • IQ Server version 145 or greater
  • An npm proxy/remote repository in JFrog Artifactory
  • Next-Gen Repository Firewall license

Enable Policy Compliant Component Selection

In the firewall.properties configuration file for Firewall for JFrog Artifactory, add a line for each repository you want to enable Policy Compliant Component Selection:

firewall.repo.my-remote-repo=policyCompliantComponentSelection

Configure Cache Settings

Performance for Policy Compliant Component Selection can be improved by reducing the Metadata Retrieval Cache Period configuration setting in Artifactory to one hour or less.