cocoapods firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

This page walks through the steps to set up NXRM and a Docker container to test Cocoapods Firewall using https://cdn.cocoapods.org

CocoaPods support in NXRM3 was added in 3.19.

See the official docs at  https://help.sonatype.com/repomanager3/formats/cocoapods-repositories

Table of Contents

Prerequisites

  • IQ Server installed and running
  • NXRM 3 installed and running and configured with the IQ Server
  • Docker for Mac installed and running

Step 1. Create a new Proxy Repository in NXRM

Use https://cdn.cocoapods.org as the Remote URL. Accept default values for the remainder of the settings.

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

First, set up a local project

Cocoapods relies on the host xcode, and is not fully featured when running from docker. To make things easier for this demo, just git clone a Swift project to your laptop and bind mount it to the docker container

git clone https://github.com/jose-ibanez/CocoaPodsExample

Make the Podfile look like https://help.sonatype.com/repomanager3/formats/cocoapods-repositories#CocoaPodsRepositories-ConfigureCocoaPodsclient. Optionally, find and add more Pods

Now, Start Docker

This will create a shell (you need the -it) running in a container named "go-proxy-demo" based on the default golang image from Docker Hub. When you exit the shell, the container will be removed (--rm)

docker run -it --rm -v `pwd`:/project gaetan/cocoapods:1.7.2

Step 4. Set Podfile so that Cocoapods will download dependencies from NXRM

Ensre this line is in your Podfile

source 'https://host.docker.internal:8413/repository/cocoapods.org-proxy/'

Step 5. Use Pod to install some packages

First, you need to set HTTPS.

CocoaPods requires HTTPS. If you are using a self signed certificate in NXRM, you may need to set curl to ignore SSL validation

echo "--insecure" > ~/.curlrc

Then run pod install

cd /project
pod install

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Repo List

IQ Server Report

CocoaPods Firewall added in IQ Server [Release 91](https://help.sonatype.com/iqserver/product-information/release-notes#ReleaseNotes-Release91(May2020):
NOTE: as part of the "Standard" OSS Index support, only components with Security vulnerabilities will be counted as identified components. All others will return coordinate information, but are not identified by Sonatype, and do not have a Package URL.

Step 8. Test Quarantine

libpng has CVE-2018-14550 (cvss 8.8), so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-High policy in IQ Server

Add the following dependency to your Podfile

pod 'libpng', '~>1.6.35'

rerun pod install

pod install

Repo List

IQ Server Report

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can reproduce the 403 - Quarantined error by clicking on the "Path" link: https://host.docker.internal:8413/repository/cocoapods.org-proxy/pods/libpng/1.6.35/v1.6.35.tar.gz

As of 3.28, the CIP is not supported in NXRM for Cocoapods

Not supported

Home | Copyright © 2020.

⚠️ **GitHub.com Fallback** ⚠️