Introduction
If you’re a JFrog Platform subscriber, already have JFrog Curation as part of the subscription, and want to test it, without disrupting your current workflow, we have good news! You can explore the benefits of Curation while keeping your environment intact by implementing "Dry Run" policies.
Getting Started with Dry Runs
To begin, in case it’s a self-hosted environment, ensure your self-hosted JFrog Platform is properly configured with Curation, in case it is already configured, ensure the JFrog Curation service is activated.
By using a policy configured with a Dry Run action, you can identify any violations without enforcement actions. This feature allows you to see all packages that conflict with your policies, which can be accessed in the Dry Run tab of the Audit Event window. Here, you’ll find a record of all packages that have been flagged for policy violations.
Later, when you’re ready to enhance your security measures, you can convert these policies to a "Block" action to prevent any non-compliant packages from being pulled into your Platform.
Steps to Implement Dry Run Policies
- Enable Curation:
Navigate to the Administration Tab → Curation Settings → General.
Ensure that the Curation service is enabled. - Curate Remote Repositories:
Go to Administration Tab → Curation Settings → Curated Repositories.
Set the state of the remote repositories to “Curated.” - Create Policies:
Head over to the Application Tab → Curation → Policies.
Here, you can create policies tailored to your needs and select the “Dry Run” action to avoid immediate blocking.
Recommended Starting Policies
If you’re unsure where to begin, we recommend creating the policies listed below for all curated repositories:
- “Malicious Package” - Detects 3rd party packages that have been identified by the JFrog Security Research team as malicious.
- Critical CVEs:
-
- “CVE with CVSS score of 9 or above (fix version available)” - Blocks 3rd party package versions with a known vulnerability whose NVD CVSS score is 9 or above, and which has a newer version available that fixes the vulnerability.
- “CVE with CVSS score of 9 or above (with or without a fix version available)” - Blocks 3rd party package versions with a known vulnerability whose NVD CVSS score is 9 or above, regardless of whether a newer version that fixes the vulnerability is available.
- Old Packages:
-
- “Package version is aged (no newer version identified)” - Detects and blocks 3rd party package versions whose release date is more than 2 years old and no newer version of the package exists.
- “Package version is aged (newer version available)” - Blocks 3rd party package versions whose release date is more than 180 days older than the package’s latest version release date.
- “Package version is immature (moderate)” - Detects 3rd party packages whose version release date is less than 14 days old.
- Package License Detection:
-
- “Package license is GNU AGPL” - Blocks 3rd party package versions with an identified Library Affero General Public License (AGPL).
- “Package license is GNU GPL” - Blocks 3rd party package versions with any version of an identified General Public License (GPL v1, v2 or v3).
- “Package license is GNU LGPL” - Blocks 3rd party package versions with any version of an identified Library General Public License (LGPL)
To review any identified packages that may have been downloaded through the Platform, navigate to the Application Tab → Curation → Audit → Dry Run Tab . Here, you can view the list of flagged packages.
Understanding "Dry Run" vs. "Block" Policies
With a Dry Run policy, the package will still be downloaded to the Platform and made available to the client requesting it. In contrast, a Block policy will prevent the request from being processed if a package violates the policy. Instead of downloading, the client will receive a “403 Forbidden” error, with details available in the Blocked/Approved Tab of the Curation Audit page.
Important Note:
When transitioning your policies from “Dry Run” to “Block,” please ensure that no packages violating the policy currently exist in the Platform's remote repositories cache. If any such packages are found, it’s crucial to clean the cache prior to implementation. Remember, Curation will only block requests going out to the remote registries, so any cached packages that violate your new policies could still be accessed by clients.
Explore the options JFrog Curation provides and bolster your security with confidence!