conda firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

This page walks through the steps to set up NXRM and a Docker container to test Conda Firewall using https://repo.continuum.io/pkgs/

Conda support in NXRM3 was added in 3.19.

See the official docs at  https://help.sonatype.com/repomanager3/formats/conda-repositories

Table of Contents

Prerequisites

  • IQ Server installed and running
  • NXRM 3 installed and running and configured with the IQ Server
  • Docker for Mac installed and running

Step 1. Create a new Proxy Repository in NXRM

Use https://repo.continuum.io/pkgs/ as the Remote URL. Accept default values for the remainder of the settings.

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

Old Version of Conda 
docker run -it --rm conda/miniconda3

NOTE: old version (<4.7) uses tar.bz2 files which are not identified with Nexus Firewall

New Version of Conda 
docker run -it --rm continuumio/miniconda3

NOTE: new version (4.7+) uses .conda files which are identified with Nexus Firewall

Tip: With 4.7+, you can switch between the formats using (true or false)
conda config --set use_only_tar_bz2 True

Step 4. Use the conda command line to set up the repo sources

conda config --remove channels defaults
conda config --add channels http://host.docker.internal:8083/nexus/repository/conda-continuum.io-proxy/main

Step 5. Use conda to Install a package

conda install numpydoc

Tips:

  • Use the additional arguments -c http://host.docker.internal:8083/nexus/repository/conda-continuum.io-proxy/main --override-channels in case the channels configuration is different
  • Add -vvv to the conda install to see more information.
  • run conda list to seee the currently installed packages, and if not default, the URL, a.k.a. "channel", where they came from

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Repo List

IQ Server Report

Step 8. Test Quarantine

sqlite 3.30 has CVE-2019-19317 with CVSS 9.8, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Critical policy in IQ Server

conda install sqlite=3.30

Console Output

Repo List

IQ Server Report

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8000/nexus/repository/conda-continuum.io-proxy//main/linux-64/sqlite-3.26.0-h7b6447c_0.conda

You can view the component information panel (CIP) right in NXRM

Not Supported

Home | Copyright © 2020.

⚠️ **GitHub.com Fallback** ⚠️