CURATION: Uncover the Value of JFrog Curation: Testing Through Dry-Run Policies

CURATION: Uncover the Value of JFrog Curation: Testing Through Dry-Run Policies

AuthorFullName__c
Kfir Avraham
articleNumber
000006201
ft:sourceType
Salesforce
FirstPublishedDate
2024-10-20T11:42:02Z
lastModifiedDate
2024-10-21
VersionNumber
12
Introduction 

If you’re a JFrog Platform subscriber, already have JFrog Curation as part of the subscription, and want to test it, without disrupting your current workflow, we have good news! You can explore the benefits of Curation while keeping your environment intact by implementing "Dry Run" policies.


Getting Started with Dry Runs


To begin, in case it’s a self-hosted environment, ensure your self-hosted JFrog Platform is properly configured with Curation, in case it is already configured, ensure the JFrog Curation service is activated. 
By using a policy configured with a Dry Run action, you can identify any violations without enforcement actions. This feature allows you to see all packages that conflict with your policies, which can be accessed in the Dry Run tab of the Audit Event window. Here, you’ll find a record of all packages that have been flagged for policy violations.
Later, when you’re ready to enhance your security measures, you can convert these policies to a "Block" action to prevent any non-compliant packages from being pulled into your Platform.


Steps to Implement Dry Run Policies
  1. Enable Curation:
    Navigate to the Administration Tab → Curation Settings → General.
    Ensure that the Curation service is enabled.
  2. Curate Remote Repositories:
    Go to Administration Tab → Curation Settings → Curated Repositories.
    Set the state of the remote repositories to “Curated.”
  3. Create Policies:
    Head over to the Application Tab → Curation → Policies.
    Here, you can create policies tailored to your needs and select the “Dry Run” action to avoid immediate blocking.
Recommended Starting Policies

If you’re unsure where to begin, we recommend creating the policies listed below for all curated repositories:

  • “Malicious Package” - Detects 3rd party packages that have been identified by the JFrog Security Research team as malicious.
  • Critical CVEs:
    • “CVE with CVSS score of 9 or above (fix version available)” - Blocks 3rd party package versions with a known vulnerability whose NVD CVSS score is 9 or above, and which has a newer version available that fixes the vulnerability.
    • “CVE with CVSS score of 9 or above (with or without a fix version available)” - Blocks 3rd party package versions with a known vulnerability whose NVD CVSS score is 9 or above, regardless of whether a newer version that fixes the vulnerability is available.
  • Old Packages:
    • “Package version is aged (no newer version identified)” - Detects and blocks 3rd party package versions whose release date is more than 2 years old and no newer version of the package exists.
    • “Package version is aged (newer version available)” - Blocks 3rd party package versions whose release date is more than 180 days older than the package’s latest version release date.
  • “Package version is immature (moderate)” - Detects 3rd party packages whose version release date is less than 14 days old.

 


To review any identified packages that may have been downloaded through the Platform, navigate to the Application Tab → Curation → Audit → Dry Run Tab . Here, you can view the list of flagged packages.

Understanding "Dry Run" vs. "Block" Policies


With a Dry Run policy, the package will still be downloaded to the Platform and made available to the client requesting it. In contrast, a Block policy will prevent the request from being processed if a package violates the policy. Instead of downloading, the client will receive a “403 Forbidden” error, with details available in the Blocked/Approved Tab of the Curation Audit page.

Important Note:
When transitioning your policies from “Dry Run” to “Block,” please ensure that no packages violating the policy currently exist in the Platform's remote repositories cache. If any such packages are found, it’s crucial to clean the cache prior to implementation. Remember, Curation will only block requests going out to the remote registries, so any cached packages that violate your new policies could still be accessed by clients.

Explore the options JFrog Curation provides and bolster your security with confidence!