You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Re: artifact.quarantined -- Yes, we quarantine malicious versions of dependencies. Having the event allows for a history around the version to be kept (in an event store for records purposes). Leaving the artifact in a local non-resolvable repository also helps to provide further information around downloads, etc. This is highly useful in regulated environments such as med tech. There are a few ways one can "implement" a quarantine system w/ a repository system, but it's not a "first class feature". Some folks use Bytesafe, JFrog Curation as a front end, but naturally those services cost money. A simple (and free-ish) way of doing this is to create a local resolvable repository to which you post a bogus artifact with the same coordinates as the malicious artifact. You then ensure that this local repository is ahead of your remote repo in your resolution order for your virtual repository (i.e. the repo everyone actually resolves things from). This, of course, presumes you're running a local repository service; such as Artifactory, Nexus or the like. It also requires a tool such as Dependency Track or its ilk to create events upon which an action can be based to perform this quarantine process.
I'd like to further point out an approach that I think makes a lot of sense; making auditing a first class citizen. All highly regulated and security concious environments require heavy event logging. Ensuring that all designs take this into account will be of great benefit to users.
Re:
artifact.quarantined
-- Yes, we quarantine malicious versions of dependencies. Having the event allows for a history around the version to be kept (in an event store for records purposes). Leaving the artifact in a local non-resolvable repository also helps to provide further information around downloads, etc. This is highly useful in regulated environments such as med tech. There are a few ways one can "implement" a quarantine system w/ a repository system, but it's not a "first class feature". Some folks use Bytesafe, JFrog Curation as a front end, but naturally those services cost money. A simple (and free-ish) way of doing this is to create a local resolvable repository to which you post a bogus artifact with the same coordinates as the malicious artifact. You then ensure that this local repository is ahead of your remote repo in your resolution order for your virtual repository (i.e. the repo everyone actually resolves things from). This, of course, presumes you're running a local repository service; such as Artifactory, Nexus or the like. It also requires a tool such as Dependency Track or its ilk to create events upon which an action can be based to perform this quarantine process.I'd like to further point out an approach that I think makes a lot of sense; making auditing a first class citizen. All highly regulated and security concious environments require heavy event logging. Ensuring that all designs take this into account will be of great benefit to users.
Originally posted by @mekhanique in #144 (comment)
The text was updated successfully, but these errors were encountered: