Problem
When click on the 'See Details Below' link from the Firewall Dashboard under the 'Supply chain attacks blocked', 'Namespace attacks blocked' or 'Components quarantined' under the Component Data Insights metrics, there is no component listed under the 'Quarantine' tab table despite there is number indicating number of components has been blocked/quarantined. For example:
Possible causes
The count shows for "Supply chain attacks blocked", "Namespace attacks blocked", and "Components quarantined" is a total count for the last 12 months (or all times) components have been blocked/quarantined. However, the “See Details Below” link will only show the currently actively quarantined components, any components that have been waived or deleted will not appear in the Quarantine list.
Solution
You can use the Firewall REST API to check if the result match the Firewall Dashboard metrics.
Below REST APIs are also helpful to validate if what you observed from the Firewall Dashboard is expected:
- Quarantine REST API to see if there should be any components in quarantined state.
- Component Waivers REST API to retrieve list of repository waivers based on format
- Policy Waiver REST API can also be used to retrieve all policy waivers for a specific repository
You can also exam audit.log from the IQ server to check event with following domain
"governance.repository.quarantine"
"governance.waiver"
See Audit Log documentation for more details.