Introduction

This page walks through the steps to set up NXRM and a Alpine Docker container to test apk Firewall using http://dl-cdn.alpinelinux.org/alpine/v3.10/main/

See the community docs at https://github.com/sonatype-nexus-community/nexus-repository-apk

Prerequisites
Step 1. Create a new Proxy Repository in NXRM
Step 2. Enable Firewall for the New Proxy Repo
Step 3. Run Docker Image for the Dependency Manager
Step 4. Set the environment to download packages from NXRM
Step 5. Install a package
Step 6. Browse NXRM to view it
Step 7. View the Firewall Report
Step 8. Test Quarantine
Step 9. Notes

Prerequisites

IQ Server installed and running
NXRM 3 installed and running and configured with the IQ Server
Docker for Mac installed and running

Step 1. Create a new Proxy Repository in NXRM

Use http://dl-cdn.alpinelinux.org/alpine/v3.10/main/ as the Remote URL. Accept default values for the remainder of the settings.

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

docker run -it --rm alpine

Step 4. Use the apk command line to set up the repo sources

echo "http://host.docker.internal:8083/nexus/repository/apk-alpinelinux.org-3.10-main-proxy/" > /etc/apk/repositories

Step 5. Use apk to Install a package

apk add wget

Observe the inbound requests to NXRM in the request.log file:

172.18.0.1 - - [11/Nov/2020:22:09:57 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/APKINDEX.tar.gz HTTP/1.1" 200 - 756322 334 "libfetch/2.0" [qtp398150537-310] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:22:10:16 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/ca-certificates-20191127-r2.apk HTTP/1.1" 200 - 173963 1549 "libfetch/2.0" [qtp398150537-310] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:22:10:17 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/nghttp2-libs-1.39.2-r1.apk HTTP/1.1" 200 - 66391 1229 "libfetch/2.0" [qtp398150537-310] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:22:10:18 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/libcurl-7.66.0-r1.apk HTTP/1.1" 200 - 211874 1228 "libfetch/2.0" [qtp398150537-311] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:22:10:19 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/expat-2.2.8-r0.apk HTTP/1.1" 200 - 65158 1161 "libfetch/2.0" [qtp398150537-310] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:22:10:20 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/pcre2-10.33-r0.apk HTTP/1.1" 200 - 244271 1040 "libfetch/2.0" [qtp398150537-310] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:22:10:23 -0500] "GET /nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/git-2.22.4-r0.apk HTTP/1.1" 403 - 2219 2212 "libfetch/2.0" [qtp398150537-293] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Repo List

IQ Server Report

Step 8. Test Quarantine

git 2.22.4-r0 has CVE-2018-1000182 with CVSS 6.4, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Medium policy in IQ Server

apk add git

Console Output

Repo List

IQ Server Report

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8083/nexus/repository/apk-alpinelinux.org-3.10-main-proxy/x86_64/git-2.22.4-r0.apk

You can view the component information panel (CIP) right in NXRM

Not Supported

apk firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

Table of Contents

Prerequisites

Step 1. Create a new Proxy Repository in NXRM

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

Step 4. Use the apk command line to set up the repo sources

Step 5. Use apk to Install a package

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Step 8. Test Quarantine

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can view the component information panel (CIP) right in NXRM

⚠️ GitHub.com Fallback ⚠️

apk firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

Table of Contents

Prerequisites

Step 1. Create a new Proxy Repository in NXRM

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

Step 4. Use the apk command line to set up the repo sources

Step 5. Use apk to Install a package

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Step 8. Test Quarantine

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can view the component information panel (CIP) right in NXRM

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️