Policy Compliant Component Selection is a feature of Sonatype Repository Firewall designed to ensure that when dependencies are requested, only versions that comply with your organization's policies are delivered. This prevents builds from failing due to quarantined (policy-violating) versions being selected, which is particularly useful for projects with large dependency trees and transitive dependencies.
How it works
When this feature is enabled, for the npm/pypi client request for package metadata like below example, nexus repository firewall filters out component versions that violate policies set to Fail at the Proxy Stage so that only policy safe versions are made available to the developer.
npm install sort-package-json
npm install sort-package-json@version
If all the version are filtered out, or if the version specified is filtered out, the user may face an error in npm client as No matching version found for xxx
Below would be the nexus.log which indicates the filtered versions from package metadata.
com.sonatype.nexus.repository.npm.internal.orient.OrientNpmQuarantinedVersionFacet - Filtering quarantined versions for packageId
com.sonatype.nexus.repository.content.npm.internal.NpmQuarantinedVersionFacetImpl - Filtering quarantined versions for packageId
Note: These filtered versions are not listed in Firewall dashboard or repository results, as those component versions are not actually pulled into the proxy repository.
Applying waiver to filtered component version
If user wants to make a version available in metadata, though it has violations, then the component version should be pulled into the proxy repository, so that it gets quarantined and then a waiver can be applied to that quarantined package version.
Let's assume that sort-package-json-sort-package@3.2.1 is filtered out, pull the component version with the request like below
For ex:
https://<Nexusurl>/repository/npm-proxy/sort-package-json/-/sort-package-json-sort-package-3.2.1.tgz
The component should show up in firewall dashboard as quarantined and could see all policy violations responsible for quarantine. Then the waiver can be applied for the violations, to make that version available for the next pull.