npm firewall demo - michaelmworthington/codesamples GitHub Wiki
This page walks through the steps to set up NXRM and a NodeJS Docker container to test npm Firewall using https://registry.npmjs.org
See the official docs at https://help.sonatype.com/repomanager3/formats/npm-registry
- Prerequisites
- Step 1. Create a new Proxy Repository in NXRM
- Step 2. Enable Firewall for the New Proxy Repo
- Step 3. Run Docker Image for the Dependency Manager
- Step 4. Set the environment to download packages from NXRM
- Step 5. Install a package
- Step 6. Browse NXRM to view it
- Step 7. View the Firewall Report
- Step 8. Test Quarantine
- Step 9. Notes
- IQ Server installed and running
- NXRM 3 installed and running and configured with the IQ Server
- Docker for Mac installed and running
Use https://registry.npmjs.org as the Remote URL. Accept default values for the remainder of the settings.
docker run -it --rm node bash
unlike the centos image used in the Yum Firewall Demo, this image runs the 'maven' command when starting the container, rather than plain 'bash'. since i want to run a couple maven commands, force docker to run bash.
npm config set registry http://host.docker.internal:8083/nexus/repository/npm-public/
cd /tmp
npm --loglevel http install lodash
Observe the inbound requests to NXRM in the request.log file:
172.18.0.1 - - [10/Nov/2020:15:58:51 -0500] "GET /nexus/repository/npm-public/lodash HTTP/1.1" 200 - 210629 49 "npm/7.0.8 node/v15.1.0 linux x64" [qtp15707558-47] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:15:58:51 -0500] "POST /nexus/repository/npm-public/-/npm/v1/security/advisories/bulk HTTP/1.1" 400 42 2064 5 "npm/7.0.8 node/v15.1.0 linux x64" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:15:58:51 -0500] "POST /nexus/repository/npm-public/-/npm/v1/security/audits/quick HTTP/1.1" 200 310 210 8 "npm/7.0.8 node/v15.1.0 linux x64" [qtp15707558-281] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [10/Nov/2020:15:58:51 -0500] "GET /nexus/repository/npm-public/lodash/-/lodash-4.17.20.tgz HTTP/1.1" 200 - 316680 27 "npm/7.0.8 node/v15.1.0 linux x64" [qtp15707558-47] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
Repo List
IQ Server Report
execa 1.0.0 has SONATYPE-2019-0206 with CVSS 9.8, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Critical policy in IQ Server
npm --loglevel http install [email protected]
Console Output
Repo List
IQ Server Report
You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8083/nexus/repository/npmjs.org-proxy/execa/-/execa-1.0.0.tgz
