Using Audit and Quarantine in NXRM 3.x

The features discussed in this section require Nexus Repository Manager Pro and IQ Server with the following licenses: Repository and Firewall.

The Audit and Quarantine features provide a way to protect your development environment from risky or undesirable components. These features use IQ Server policy management to identify, and if desired, prevent a proxy repository from serving unwanted components.

Before activating Audit and Quarantine, there are several items you need to complete:

  • Both Nexus Repository Manager 3.x and IQ Server must be running and must have a working connection between the two systems.
  • In Nexus Repository Manager 3.x, you need the following privileges:
    • Add, edit, and delete privileges for capabilities, which allows you to configure, enable, and disable the Audit feature.
    • Read privilege for repositories, which lets you view a results column in Repositories (under Repository in the Administration main menu).
      For information on assigning privileges, see the Privileges section in Security - NXRM 3.
  • For IQ Server, you must be assigned to a role in the root organization with permissions to view and edit IQ Elements. The built-in roles of Policy Administrator and Owner have these permissions. For more information on assigning roles and permissions, see Role Management. To learn more about the root organization, see Root Organization.
  • Also with regard to IQ Server, you should create a policy in the root organization that defines the rules or criteria to use when evaluating components of a proxy repository. The policy must be at the root organization level in the system hierarchy; policies at other levels are ignored by Audit. To learn more about creating a policy, see Policy Management.

Once these items are completed, you are ready to configure Audit and Quarantine and view audit results. Each of these actions is described below in more detail.

Configuring Audit and Quarantine

You configure the Audit and Quarantine features by adding them to Nexus Repository Manager 3.x as a capability.

To configure Audit and Quarantine:

  1. In Nexus Repository Manager 3.x, go to the Administration main menu and click Capabilities under System.
  2. Click the Create capability button.
  3. In the Select Capability Type view, click IQ: Audit and Quarantine.
  4. In the Create IQ: Audit and Quarantine view, configure the following settings;
    1. Enable this capability - Make sure the check box is selected to activate the Audit feature. The check box is selected by default.
    2. Repository - Select a specific proxy repository to evaluate, for example, maven-central.
    3. Quarantine - Select the check box to quarantine any components that violate policy whenever you add new components to the selected proxy repository. This setting affects only components that are added to the repository after Quarantine is enabled. When a component is quarantined, the Nexus Repository Manager prevents it from being served from the proxy repository. The check box is deselected by default.
  5. Click Create capability to save the new capability for Audit and Quarantine.

At this point, an audit of the selected repository is automatically started. Nexus Repository Manager contacts IQ Server and evaluates the components within the selected repository against any associated policy.

The results are displayed in Repository Results, which is described in the next section Understanding Repository Results.

To successfully quarantine components when the Quarantine feature is enabled, the policy used to evaluate components must be configured to fail when policy violations occur at the proxy stage in the development lifecycle. If the policy is set to warn (rather than fail), the quarantining of components will not occur. For more information about setting policy and the proxy stage, see Policy Management.

Disabling Audit and/or Quarantine

  1. To disable Audit and/or Quarantine:
  2. In Nexus Repository Manager, go to the Administration main menu and click Capabilities under System.
  3. Click the IQ: Audit and Quarantine capability for a specific repository.
  4. To disable Audit, click the Disable button. Note that Quarantine is disabled as well.
  5. To disable Quarantine only, deselect the Enable Quarantine for Repository check box.

    When Quarantine is disabled, all quarantined components are made available for download from your proxy repository. This remains true, if you re-enable Quarantine. That is, any previously quarantined components are not quarantined again; only new components are evaluated for quarantine when you re-enable the Quarantine feature.

  6. Click Save to save your changes or click Discard to discard them.

Releasing a Component from Quarantine

When a component is quarantined due to a violation, it is not available for download from the proxy repository. You must first resolve the violation(s) that caused the quarantine before releasing the component and making it downloadable. For information on resolving violations from labels, security vulnerabilities, or license issues, see Application Composition Report. For information on waiving policy violations, see IQ Server and Repository Results. Once the violations are resolved, you can proceed with releasing a component from quarantine.

To release a component from quarantine:

  1. In Nexus Repository Manager 3.x, go to Repositories on the Administration menu, and click the IQ Policy Violations count of an evaluated repository. This opens the Repository Results hosted on IQ Server.
  2. Click the component you want to release from quarantine. This opens the Component Information Panel (CIP).
  3. Click the Policy tab, and then click the Release Quarantine button.
  4. In the confirmation box, click the Release button.

Once a component is released from quarantine, it cannot be put back into quarantine even if it has subsequent policy violations. If you want to re-quarantine a component, you must delete the component from its repository. The component will be quarantined again if, during an audit, it violates a policy that is set to Fail at the Proxy stage.

Viewing Repository Results

Once the Audit is enabled, whenever you add a component to a proxy repository (or delete one), Nexus Repository Manager contacts IQ Server to evaluate the components within the proxy repository against any associated policy. The IQ Policy Violations are summarized in Nexus Repository Manager, and detailed in IQ Server.

In Nexus Repository Manager 3.x, the results of an audit are summarized in the IQ Policy Violations column of the Repositories view as shown in the figure below. You can access the Repositories view from the Repository sub menu of the Administration menu.

The IQ Policy Violations column includes the following items:

  • A count of components by their highest policy violation level.
  • A count of quarantined components.
  • A link to Repository Results on IQ Server.

The IQ Policy Violations column will also alert you if there are any errors in the audit and quarantine process. If there is an error, for example Nexus Repository Manager cannot communicate with IQ Server, a red exclamation mark will appear to the right of the Repository Results link along with text pertinent to the error that occurred. Additional information will be available in the Nexus Repository Manager logs.

If the IQ Policy Violations column displays only Audit Enabled or Quarantine Enabled, then you do not have permission to view audit and quarantine summary results. For more information about this permission, see Granting Privileges to View Audit and Quarantine Summary Results later in this chapter.

If you have permissions to add capabilities in Nexus Repository Manager, you can also access Repository Results from the Capabilities submenu on the Administration menu:

  1. In the Type list of capabilities, click IQ: Audit and Quarantine for a specific repository.
  2. In the Capabilities / IQ: Audit and Quarantine view, go to the Status section and click View Results.

To learn more about the details displayed in the Repository Results, see IQ Server and Repository Results.

Granting Privileges to View Audit and Quarantine Summary Results

In Nexus Repository Manager 3.x, the "nexus:iq-violation-summary:read" privilege allows you to view audit and quarantine summary results in the IQ Violations column of the Repository view. This privilege is assigned to the Nexus admin role by default. If users are assigned to custom roles, this privilege needs to be added to those roles in order for them to view audit and quarantine summary results.

To grant view privileges for audit and quarantine:

  1. In Nexus Repository Manager 3.x, go to Security on the Administration menu and click Roles.
  2. In the Manage Roles view, either create a new role or click to select an existing custom role.
  3. If creating a new role, enter a Role ID, Role name, and Role description.
  4. In the Privileges list, move the following privileges to the Given column:
    1. nx-repository-view---read
    2. nexus:iq-violation-summary:read
  5. Save the role changes by clicking Create Role or Save.

For information on assigning privileges, see the Privileges section in Security - NXRM 3.