Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider adding artifact.quarantined #195

Open
e-backmark-ericsson opened this issue Apr 2, 2024 · 0 comments
Open

Consider adding artifact.quarantined #195

e-backmark-ericsson opened this issue Apr 2, 2024 · 0 comments
Labels
roadmap Items on the roadmap top3

Comments

@e-backmark-ericsson
Copy link
Contributor

Re: artifact.quarantined -- Yes, we quarantine malicious versions of dependencies. Having the event allows for a history around the version to be kept (in an event store for records purposes). Leaving the artifact in a local non-resolvable repository also helps to provide further information around downloads, etc. This is highly useful in regulated environments such as med tech. There are a few ways one can "implement" a quarantine system w/ a repository system, but it's not a "first class feature". Some folks use Bytesafe, JFrog Curation as a front end, but naturally those services cost money. A simple (and free-ish) way of doing this is to create a local resolvable repository to which you post a bogus artifact with the same coordinates as the malicious artifact. You then ensure that this local repository is ahead of your remote repo in your resolution order for your virtual repository (i.e. the repo everyone actually resolves things from). This, of course, presumes you're running a local repository service; such as Artifactory, Nexus or the like. It also requires a tool such as Dependency Track or its ilk to create events upon which an action can be based to perform this quarantine process.

I'd like to further point out an approach that I think makes a lot of sense; making auditing a first class citizen. All highly regulated and security concious environments require heavy event logging. Ensuring that all designs take this into account will be of great benefit to users.

Originally posted by @mekhanique in #144 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
roadmap Items on the roadmap top3
Projects
Status: Backlog
Status: No status
Development

No branches or pull requests

2 participants