How does grandfathering work with Nexus Firewall?

We are moving some applications into a new environment that uses Nexus Firewall and Nexus Lifecycle. We’d like to grandfather the violations in the apps, but I am unclear how it works with Firewall.

I think I have to waive the violation to let the component through Nexus Firewall so I can build the app in the new environment. Then I can remove the waiver and upload the newly-built app to Lifecycle with grandfathering enabled so that the violations get grandfathered.

Is that correct? Do I have to (temporarily) use waivers to get through Firewall?

Hi Gene,

Great to see you post out in the community space! Thanks for your question.

The Grandfathering capability is intended for onboarding existing applications with known vulnerabilities (e.g. legacy applications) to aid in the onboarding process. The capability was designed from the use case where customers may have a large number of applications (i.e. typically legacy), and they need to onboard quickly to be able to go forward with their initiatives. Here is a link that will explain more: IQ Server Grandfathering - Sonatype Guides

For your specific question, I’d like to understand more about what you’re trying to do, so that I can offer best practice guidance. Typically, we will not want anyone to build applications using known bad components. Yes, you can technically do what you are suggesting, and you will want to understand the consequence of those actions and potential disruption to other builds.

The intersection with Nexus Repository and Firewall occurs for newly downloaded components. Normally your existing proxied components wouldn’t be quarantined (blocked) since you don’t want to cause disruption for builds that are working. Firewall will audit your existing repository and identify violations, then in Lifecycle you’d see similar violations per application, and when using grandfathering those violations would be grandfathered, since they represent existing issues.

I hope that helps to some degree.

Thanks,
Santi

1 Like

I have applications in one environment. That environment has the components downloaded and applications built. They were not monitored with Lifecycle.

They are moving to a new environment that has Firewall and Lifecycle. They are existing apps (so grandfathering would help), but building them in the new env for the first time requires the components to be downloaded. Firewall is blocking those downloads, appropriately.

I plan to grandfather the findings in Lifecycle for these apps. But first I think I’ll need to waive the components through Firewall to do so. Is that the case? Or if I can move the binary over and manually upload to Lifecycle in the new env to be grandfathered will Firewall then see the grandfathered components and allow them through without being waived?