We often get requests from our internal Vulnerability Mgmt. team to block certain versions of a component cached in Nexus across repos, due to vulnerabilities being reported against it.
What is the best way of blocking these artifacts from Nexus?
We have tried blocking via routing rules but at times the regex expression can get heavy & having too many routing rules can cause performance issues. Another way we have tried is to delete the component one by one from Nexus and requesting it again. This is a cumbersome process.
With Sonatype Firewall you can block the initial download / caching. Once the component is cached firewall will not help.
With Sonatype Lifecycle you assess the dependencies of your homegrown software on known vulnarabilities. Based on severity level you can block a build, assuming you use CI pipelines to create your homegrown artifacts. Lifecycle will not block the component being cached.
With the combo and some automation you could automatically delete vulnerable components from the cache, but that will block pipelines / deployments.
You have to have some breaking-glass process if a team can not refactor and have to do some deployment.