New Uploaded Components are not Quarantined by Proprietary Name Conflict Policy

Problem

Newly uploaded components to hosted repositories in repository manager may not get blocked when downloaded from a proxy repository which has Firewall Quarantine feature enabled.

Reproduce

  1. Connect Nexus Repository Manager to IQ Server
  2. Ensure your IQ Server installation contains a policy that fires on name conflicts between public and your own proprietary components.
  3. Enable Quarantine on a Proxy Repository in repository manager.
  4. Enable Proprietary Components feature on a hosted repository with the same repository format as the Proxy Repository.
  5. Upload a brand new component into the hosted repository that is not yet also downloaded into the proxy repository, but is available at the remote URL of the proxy repository.
  6. Attempt to download the component into the proxy repository. Note the download works and the component is not quarantined.

Diagnosis

The way proprietary components get synced to IQ server is a background task that runs either

  • on the hour, every two hours
  • immediately when proprietary component names feature is first enabled on a hosted repository
  • during startup of repository manager

Therefore if up to two hours has not passed yet between when the new component was uploaded to the hosted repository and the download from the proxy repository was made, IQ server does not know that the component is a proprietary package, hence it was not quarantined during download.

Considerations

The sync task cannot be scheduled by an administrator using the Scheduled Tasks interface. The automatic background task processes all repositories with the proprietary component feature enabled when it runs. A 2 hour frequency is a compromise to allow for enough time to handle a number of repos and many components.

The task frequency can be adjusted using a system property to as frequent as every 1 hour using a system property that can be requested by submitting a ticket to Sonatype Support.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.