Nexus Firewall on Repository Manager OSS

IQ Server | Reading time: 5 minutes

Introduction

Open source vulnerabilities and bad licenses are everywhere.

Fortunately, Sonatype offers the world’s best information on OSS components. You can use the knowledge from Nexus Firewall to block bad components in Nexus Repository Manager. To get started you need:

  • a trial license for Nexus Firewall
  • IQ Server
  • a running installation of Nexus Repository Manager 3.9 or greater

In three parts, the videos below will get you up and running with all the sophisticated intelligence offered by Nexus Firewall for Repository Manager OSS. Good luck!

Install and Connect IQ Server to Repository Manager OSS

 

Today I’d like to show you how to use Nexus Firewall with Nexus Repository OSS. In a nutshell, we’ll show you how Nexus Firewall can do for your repositories what a network firewall does for your infrastructure.

You will accomplish three things:

  • First, you will install and connect IQ server to Nexus Repository Manager.
  • Next, you will audit a repository with Nexus Firewall which will allow you to see the health of that repository.
  • Finally, you will quarantine a bad component with Nexus Firewall keeping it out of your build.

Before you begin, you’ll need a running instance of Nexus Repository OSS version 3.9 or later. Once you have that, we can begin.

First, we need a license for Nexus Firewall. You can request a free trial for evaluation purposes, and that’s what we’ll use here.

  1. Request a trial license from https://www.sonatype.com/firewall-for-oss.
  2. Download the license from the email you receive.

Once you have a license, you’ll need a copy of IQ Server. Nexus Firewall runs on top of IQ Server, and it’s where your license key goes as well.

  1. Download IQ Server from the Latest Versions table in Download and Compatibility.
  2. Extract the IQ Server bundle with tar xvzf nexus-iq-server*.tar.gz.
  3. Open a terminal and start IQ Server with ./demo.sh.
  4. Once IQ Server starts, open a browser and login using the default credentials (admin/admin123).
  5. Now we can go ahead and install our Nexus Firewall license.

Finally, you need to connect IQ Server to Nexus Repository so the server knows which proxy repositories to monitor.

  1. Navigate to Server under IQ Server in the Administration menu.
  2. Complete the Server configuration form:
    • IQ Server URL: Enter the URL to access IQ Server.
    • Authentication Method: Select User Authentication from the dropdown menu.
    • Username and Password: Enter your IQ Server credentials.
    • Click Verify connection to test the repository manager connection to IQ Server.
    • Click Save.
  3. Create a capability for the repository you want to monitor:
    • Go to Capabilities under System in the Administration menu.
    • Click Create Capability to access the Select Capability Type screen.
    • Click the IQ: Audit and Quarantine capability.
    • In Repository: Select the maven-central proxy from the dropdown menu.
    • Check the Quarantine box to allow quarantining in IQ Server.
    • Click Create capability to complete the configuration.

Now that you’ve connected IQ Server to Nexus Repository Manager, the next video will show you how to view repository results generated by Nexus Firewall.

Audit a Repository

 

Welcome back to part two of how to use Nexus Firewall with Nexus Repository Manager OSS. In this video, we’ll show you how to audit the contents of a repository monitored by Nexus Firewall.

So now that you’ve enabled IQ server, let’s look at the repository results it generated by Firewall.

First, go to your running instance of Nexus Repository Manager. Then, follow these steps:

  1. Navigate to Repositories under Repository in the Administration menu.
  2. Choose the maven-central repository and click the open icon under the IQ Policy Violations column

A new IQ Server tab opens up. It displays all policies that were violated, and the components that violated those policies. If you click a component, you can view its details.

We’ve demonstrated how auditing works in Nexus Firewall. However, what if you want to prevent bad components from being proxied to begin with?

We’ll show how to quarantine components next.

Quarantine a Bad Component

 

Welcome to part three of this series. Previously, we showed you how to audit components downloaded by your developers. In this video, you will stop bad components at the source by quarantining them.

  1. In IQ Server, navigate to Organization & Policies in the toolbar.
  2. Select the Security-High policy.
  3. Choose Fail in the PROXY column.
  4. Click Update to save your changes.

Note that this will only work for components that are not in the repository to begin with. This ensures that existing builds will not break when you turn on quarantine.

To demonstrate what happens when you attempt to download a bad component that doesn’t already exist in the repository, let’s delete a bad component from the repository and re-run the build.

  1. In Nexus Repository, search for the “jackson-core” component and delete it.
  2. Run a build in your terminal with mvn clean install.
  3. This time the build failed, saying that a requested item was quarantined. Go back to IQ Server to review the repository results again. Then do the following:

  4. Filter by quarantined components. You see the same component that caused our build to fail.

  5. If you click into the component you can see which policy triggered the proxy fail action, causing the component to be quarantined.

If you decide that you’re willing to accept that risk represented by this component, you can waive the policy violation and release the quarantine for this component. Run mvn clean install again to build the component successfully.

Summary

In most cases you wouldn’t want to override the policy directly. Instead, you would probably remediate the component by upgrading to a newer version, or by choosing a different component with a more friendly licensing scheme.

Also, as mentioned, Nexus Firewall will not block components that have already been proxied by your repository. If you need more flexibility, Nexus Lifecycle provides a more comprehensive set of enforcement points.

For example:

  • At development time (IDE integration)
  • At build time (CI integration)

And that’s a quick summary of Nexus Firewall for Repository OSS. You saw how to configure IQ Server and Nexus Repository, how to audit a repository, and how to quarantine bad components. For more information, view the Firewall quick start guide or request a free trial. Thanks for watching!