Sonatype Repository Firewall Policy Test Suite

---

This is a simple test suite that will attempt to pull known bad packages into Proxy repositores in Sonatype Nexus Repository to allow customers to validate that Repository Firewall policies are operating as they expect.

This tool does not know the specific outcomes, as each Customer will have differing Policy Actions set and Open Source ages like Milk, not Wine - so be aware that the test data contained within this tool may age and no longer trigger the policies expected.

This tool expects the Reference Policy Set to be in use, but that is not mandatory.

• Installation
• Usage
  • Results
• Test Data Available
  • Cargo (Rust)
  • Conda (conda-forge)
  • CRAN (R)
  • Docker (Container)
  • Golang (Go)
  • Huggingface.co (AI / ML)
  • Maven (Java)
  • NPM (Javascript / Typescript)
  • Nuget (.NET)
  • PyPi (Python)
• Development
• The Fine Print

Installation

Obtain the binary for your Operating System and Architecture from the GitHub Releases page.

Usage

Set your Sonatype Nexus Repository credentials in two environment variables:

• NXRM_USERNAME
• NXRM_PASSWORD

And also your Sonatype IQ Server credentials in two environment variables:

• NXIQ_USERNAME
• NXIQ_PASSWORD

./nxfw-policy-tester

Follow the prompts - you'll need the URL to your Sonatype Nexus Repository installation (https:// only supported).

Results

The results will be displayed in the terminal, with a summary at the end. There are four potential results per test for a given format:

1. AVAILABLE - the package could be downloaded
2. QUARANTINED - the package was blocked by Sonatype Repository Firewall as expected
3. FAILED - the test failed to execute - investigation required

Test Data Available

Test data is aimed to validate the Sonatype Reference Policy Set.

If you have customised or custom Policies, plesae consider this.

NOTES:

^ Does not rely on actually malicious package(s) for verification - uses Sonatype staged packages marked as Malicious.

± Includes packages in both Pending and Suspicious states, where staged test data is available.

§ See Firewall Specific Policies - unrealistic to test in a generic manner.

~ See Sonatype's Ecosystem Support

Cargo (Rust)

Policy Type	Reference Policy	Available
Legal	License-Banned	✅
Legal	License-None	❌
Legal	License-Copyleft	✅
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	✅
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious	⛔️ No safe testdata
Security	Integrity-Rating	⛔️ No safe testdata
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	❌
None	None	✅

Conda (conda-forge)

Conda Forge typically keeps only the last fix version for each minor release.

Policy Type	Reference Policy	Available
Legal	License-Banned	❌ ~
Legal	License-None	❌ ~
Legal	License-Copyleft	❌ ~
Legal	License-Commercial	❌ ~
Legal	License-Threat Not Assigned	❌ ~
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	❌ ~
Legal	License-Weak-Copyleft	❌ ~
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious	⛔️ No safe testdata
Security	Integrity-Rating	⛔️ No safe testdata
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	❌
Security	Security-Low	❌
None	None	❌ ~

CRAN (R)

Policy Type	Reference Policy	Available
Legal	License-Banned	❌ ~
Legal	License-None	❌ ~
Legal	License-Copyleft	❌ ~
Legal	License-Commercial	❌ ~
Legal	License-Threat Not Assigned	❌ ~
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	❌ ~
Legal	License-Weak-Copyleft	❌ ~
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious	⛔️ No safe testdata
Security	Integrity-Rating	⛔️ No safe testdata
Security	Security-Critical	❌
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	❌
None	None	❌ ~

Docker (Container)

Policy Type	Reference Policy	Available
Legal	License-Banned	❌ ~
Legal	License-None	❌ ~
Legal	License-Copyleft	❌ ~
Legal	License-Commercial	❌ ~
Legal	License-Threat Not Assigned	❌ ~
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	❌ ~
Legal	License-Weak-Copyleft	❌ ~
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious	✅
Security	Integrity-Rating	✅
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	✅

Golang (Go)

Policy Type	Reference Policy	Available
Legal	License-Banned	✅
Legal	License-None	✅
Legal	License-Copyleft	✅
Legal	License-Commercial	❌
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	✅
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious	⛔️ No safe testdata
Security	Integrity-Rating	⛔️ No safe testdata
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	❌
None	None	✅

Huggingface.co (AI / ML)

Policy Type	Reference Policy	Available
Legal	License-Banned	✅
Legal	License-None	✅
Legal	License-Copyleft	✅
Legal	License-Commercial	❌
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	❌
Legal	License-Non-Standard	✅
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious^	✅
Security	Integrity-Rating±	✅
Security	Security-Critical	❌
Security	Security-High	❌
Security	Security-Medium	❌
Security	Security-Low	❌
None	None	❌

Maven (Java)

Policy Type	Reference Policy	Available
Legal	License-Banned	✅
Legal	License-None	❌
Legal	License-Copyleft	✅
Legal	License-Commercial	❌
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	✅
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious^	✅
Security	Integrity-Rating±	✅
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	✅
None	None	✅

NPM (Javascript / Typescript)

Policy Type	Reference Policy	Available
Legal	License-Banned	✅
Legal	License-None	❌
Legal	License-Copyleft	✅
Legal	License-Commercial	❌
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	❌
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict	❌ §
Security	Security-Malicious^	✅
Security	Integrity-Rating±	✅
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	✅
None	None	✅

Nuget (.NET)

Policy Type	Reference Policy	Available
Legal	License-Banned	❌
Legal	License-None	✅
Legal	License-Copyleft	✅
Legal	License-Commercial	✅
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	❌
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict§	❌
Security	Security-Malicious	⛔️ No safe testdata
Security	Integrity-Rating	⛔️ No safe testdata
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	✅
None	None	✅

PyPi (Python)

Policy Type	Reference Policy	Available
Legal	License-Banned	✅
Legal	License-None	✅
Legal	License-Copyleft	✅
Legal	License-Commercial	❌
Legal	License-Threat Not Assigned	❌
Legal	License-AI-ML	N/A
Legal	License-Non-Standard	✅
Legal	License-Weak-Copyleft	❌
Security	Security-Namespace Conflict§	❌
Security	Security-Malicious^	✅
Security	Integrity-Rating±	✅
Security	Security-Critical	✅
Security	Security-High	✅
Security	Security-Medium	✅
Security	Security-Low	✅
None	None	✅

Development

See CONTRIBUTING.md for details.

The Fine Print

Remember:

This project is part of the Sonatype Nexus Community organization, which is not officially supported by Sonatype. Please review the latest pull requests, issues, and commits to understand this project's readiness for contribution and use.

• File suggestions and requests on this repo through GitHub Issues, so that the community can pitch in
• Use or contribute to this project according to your organization's policies and your own risk tolerance
• Don't file Sonatype support tickets related to this project— it won't reach the right people that way

Last but not least of all - have fun!