Preventing Namespace Confusion

NEW IN IQ Server 106 and Repository manager 3.30

The features discussed in this section require Nexus Repository Manager Pro and IQ Server with the following licenses: Repository and Firewall.

Prerequisites

Preventing Namespace Confusion

Nexus Firewall can prevent Namespace Confusion attacks. Namespace Confusion is a software supply chain attack that tricks a package manager into downloading a malicious component instead of a proprietary one. This is done by uploading a component with the same name as a proprietary component to an ecosystem with no namespace, sometimes with high version numbers. The package manager will then download the malicious component from the public repository believing it is identical to the proprietary one. Attackers often use high version numbers with their packages to prey on applications set to automatically download the most recent version of a dependency. 

Firewall stops these attacks by allowing you to designate a repository as proprietary. Firewall will block any component with the same name as proprietary component. 

We recommend moving all 3rd party components into a separate repository, including patched and rebuilt components, before designating it as proprietary. Otherwise, the 3rd party components will be blocked. 

To protect a repository from dependency/namespace confusion:

  1. Navigate to Nexus Repository Manager and Sign In.
  2. Click the in the navigation bar This takes you to the administration menu.
  3. Select Repositories from the sidebar.
  4. Select the hosted repository with your proprietary components.

  5. Click the checkbox under Proprietary Components

  6. Click Save


Components quarantined to prevent namespace confusion can be viewed and released like any other quarantined component. See Managing the Quarantine for more information.