If you want to understand the current state of the software supply chain, you need to understand the difference between a vulnerability and malware. The short answer is: malware is worse, by an order of magnitude.
We’re currently using OSS Nexus version 3.70.1 and have identified malware within one of the npm packages. Given that there are over 10,000 versions of npm packages, it’s challenging to pinpoint and trace the specific malware.
Could you advise on the best way to detect or trace malware within npm packages in OSS Nexus? Additionally, is there any guidance or tooling available to help block or prevent such malware from being stored or served?
Any help or documentation you can provide would be greatly appreciated.
That’s a good question, Kiran! Malware creators do everything they can to make malware hard to find and remove. Ultimately, automated protection, like with Sonatype Repository Firewall, is the only way to be totally sure that malware is being blocked.
As an OSS user, though, I can give you two suggestions.
If you know the name of the malware package and just can’t find it, make sure you’re using our search tools correctly. Link to the documentation is below.
If you don’t know the name of the malware, consider moving to Community Edition to get access to Repository Health Check. Use the tool to look for proxy repositories with critical vulnerabilities. Malware is always a critical threat, so the malware is in one of those repositories.
The search option is helpful if we know the malware component and its version number. However, if we don’t have this information, how can we trace the specific component and its version to block it in the Nexus instance?
Also, we appreciate you providing the repository health check documentation. While the document shows the number of impacted CVEs along with their scores, it’s unclear whether we can pinpoint the exact malware component from it.
Could you please advise on how to pinpoint the exact components?
Tracing specific malware components isn’t really a feature with Nexus Repository OSS. You’ll need to make a purchase of Nexus Repository Pro and Repository Firewall.