maven firewall demo - michaelmworthington/codesamples GitHub Wiki
This page walks through the steps to set up NXRM and a Maven Docker container to test Maven Firewall using https://repo1.maven.org/maven2/
See the official docs at https://help.sonatype.com/repomanager3/formats/maven-repositories
- Prerequisites
- Step 1. Create a new Proxy Repository in NXRM
- Step 2. Enable Firewall for the New Proxy Repo
- Step 3. Run Docker Image for the Dependency Manager
- Step 4. Set the environment to download packages from NXRM
- Step 5. Install a package
- Step 6. Browse NXRM to view it
- Step 7. View the Firewall Report
- Step 8. Test Quarantine
- Step 9. Notes
- IQ Server installed and running
- NXRM 3 installed and running and configured with the IQ Server
- Docker for Mac installed and running
Use https://repo1.maven.org/maven2/ as the Remote URL. Accept default values for the remainder of the settings.
docker run -it --rm maven bash
unlike the centos image used in the Yum Firewall Demo, this image runs the 'maven' command when starting the container, rather than plain 'bash'. since i want to run a couple maven commands, force docker to run bash.
Create ~/.m2/settings.xml
<settings>
<mirrors>
<mirror>
<id>nexus</id>
<name>Nexus</name>
<url>http://host.docker.internal:8083/nexus/repository/maven-public/</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
</settings>
mvn help:effective-settings
Maven will go and "download the internet" ™
Observe the inbound requests to NXRM in the request.log file:
172.18.0.1 - - [10/Nov/2020:16:09:49 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom HTTP/1.1" 200 - 3919 109 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom.sha1 HTTP/1.1" 200 - 40 63 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-plugins/22/maven-plugins-22.pom HTTP/1.1" 200 - 13039 57 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-plugins/22/maven-plugins-22.pom.sha1 HTTP/1.1" 200 - 40 36 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/maven-parent/21/maven-parent-21.pom HTTP/1.1" 200 - 26358 44 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/maven-parent/21/maven-parent-21.pom.sha1 HTTP/1.1" 200 - 40 41 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/apache/10/apache-10.pom HTTP/1.1" 200 - 14799 63 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/apache/10/apache-10.pom.sha1 HTTP/1.1" 200 - 40 82 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.jar HTTP/1.1" 200 - 24633 48 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:50 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.jar.sha1 HTTP/1.1" 200 - 40 78 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-install-plugin/2.4/maven-install-plugin-2.4.pom HTTP/1.1" 200 - 6381 51 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-install-plugin/2.4/maven-install-plugin-2.4.pom.sha1 HTTP/1.1" 200 - 40 115 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-plugins/23/maven-plugins-23.pom HTTP/1.1" 200 - 9198 49 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-plugins/23/maven-plugins-23.pom.sha1 HTTP/1.1" 200 - 40 65 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/maven-parent/22/maven-parent-22.pom HTTP/1.1" 200 - 29743 31 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/maven-parent/22/maven-parent-22.pom.sha1 HTTP/1.1" 200 - 40 32 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/apache/11/apache-11.pom HTTP/1.1" 200 - 14811 45 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/apache/11/apache-11.pom.sha1 HTTP/1.1" 200 - 40 50 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:16:09:51 -0500] "GET /nexus/repository/maven-public/org/apache/maven/plugins/maven-install-plugin/2.4/maven-install-plugin-2.4.jar HTTP/1.1" 200 - 26952 32 "Apache-Maven/3.6.3 (Java 15.0.1; Linux 5.4.39-linuxkit)" [qtp15707558-280] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
Repo List
IQ Server Report
jackson-databind 2.8.3 has CVE-2017-7525 with CVSS 9.8, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Critical policy in IQ Server
create a pom.xml with dependency
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.8.3</version>
</dependency>
Console Output
Repo List
IQ Server Report
You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8083/nexus/repository/maven-central/com/fasterxml/jackson/core/jackson-databind/2.8.3/jackson-databind-2.8.3.jar
