Since upgrading our free local standalone version of Nexus Repository to version 3.73.0, we are seeing a Big Red Warning stating 1 Malware Component Found.
From the guide below, my understanding is that we would need the Sonatype Repository Firewall in order to remove the malware. I assume this means that we would need to upgrade Nexus to the paid for, Pro version.
Thanks for reaching out and sharing your concerns around our new malware banner feature.
We view malware in any of our customer’s environments whether it be our free or paid repository as a very serious and active threat that needs to be addressed as soon as possible.
We are committed to supporting the safe development of software and therefore want to ensure you are aware of when malware is present. The malware must be removed in order for the banner to no longer be present.
The best way to identify and remove malware using a Sonatype-supported solution is to use Sonatype Repository Firewall. With Sonatype Nexus Repository Manager Pro, it allows you to see the risk of components in individual proxy repos, but it does not specify whether or not a component is malicious.
I have the same issue, already contacted sonatype and just got the answer that I should buy the repository firewall. But as small company, this is no option at all.
But I got no info about how I can find out the exact package or the exact file that is affected.
I also tried checking each package using ClamAV, without any match (so it seems that there is no malware in tha packages).
This sounds more like a sales-banner than a helpful information…
So sonatype, please either tell us how we find out the infected packag or file name, or provide us how you checked the packages to find the infected one (to manually reproduce the result), or just remove the unusable big red sales-banner.
Hello, this message is now also appearing for me and is unsettling my colleagues. It can’t be the solution that I have to buy the nexus firewall so that I can determine the affected components. Even if the solution would perhaps help us to manage our artifacts better, I am currently lacking the arguments to get a budget for it. I would need to know what is affected in order to assess the risk.
@christoph.keller The banner indicates that open source malware is present within your proxy repos. This open source malware will not be detected with an anti-virus tool.
If you’re looking to take action within OSS, you could re-consider proxying high-risk ecosystems and delete those proxy repos. You run the risk of breaking builds if you do this but it is an option.
Even with removing those proxy repos, having open source malware at all is very risky as you know.
The only Sonatype-supported way to accurately identify, block, and remediate malware is through Sonatype Repository Firewall. Firewall is supported by our best-in-class malware identification capabilities. You can also learn more about our data and intelligence here.
I know what this banner is trying to tell me. But it is just a worthless big red danger-sign, as long as it does not tell me what package is affected.
Technically, either nexus exactly knows what package is affected and just will not tell me until I pay for, or otherwise it shows just a random number.
I already spent 8+ hours to build a pipeline that checks the npm-proxy-repository for malware and viruses (using ClamAV), checked each package and specific version, if it is still listed on npmjs.org, without any luck. All packages seems legit.
So could you please tell me either the name of the affected package, or the method how the packages are scanned to find the affected one?
And about the „proxying high-risk ecosystems“, i am using the official npmjs.org feed. So nothing inofficial or high-risk at all, I just want a convenient single package-source for both our own npm-packages and the official ones. Just to make our developers life a bit easier.
Thank you for your answers and have a great day,
Chris
This banner sounds like an advertisement. Like many tools/scams how warn users about malwares/virus on theirs computers.
The form is not very good. The only way to get rid of this message is to pay. We should be able to deactivate it or Nexus should name the components.
Paid business model could be: OSS = warn/show components (passive) / Pro = actively block components to be downloaded (active).
It sounds more fair and less commercial.
Make sure none of your packages are listed in GitHub Advisory Database · GitHub this was the case with someone I know who experienced this notification.
We view malware in any of our customer’s environments whether it be our free or paid repository as a very serious and active threat that needs to be addressed as soon as possible.
If that was the case, you won’t just make a counter, but actually show the name of the effected package.
@christoph.keller, thanks for checking back in. If you click on the banner, it will take you to an updated page that includes some new resources as of Monday, including an FAQ guide that answers these questions.
Thank you for the updated info-page. I read all the info, but it is still unsatisfactory, as the only real „solution“ provided is: delete and recreate the proxy-repository…
With that, it is still a big guessing game and is still just a commercial banner rather than a helpful and honest information.
Also the note, why sonatype is not able to report the exact component is insufficient:
How are you identifying the open source malware in my
proxy repositories?
We’re leveraging the existing Repository Health Check capabilities to identify and count
every instance of malware. This evaluation will determine if a component found in your proxy
repository has been identified to contain open source malware. The malware data being
referenced is identified and supported by our malware intelligence. This analysis is run every
24 hours.
Why can’t you tell me what the compromised
components are?
The analysis referenced above is only able to determine counts of open source malware.
Exposing that malware data leaves your organization and Sonatype at risk as we require
licenses or legal review to share and discuss the findings. Additionally, the specific details
about the components containing malware would expose the ways your organization
could be susceptible to exploits.
Again: please either publish the information, what component is affected, or remove the commercial banner (or implement it dismissable).
For all that suffer from this malware-notification:
I found out that it is (perhaps) possible to disable this, by adding the following lines to the /nexus-data/etc/nexus.properties file (in case of a docker-installation):
WARNING: This just diables the malware-warning banner and DOES NOT FIX the malware components (if any).
Can anyone confirm that this removes the banner? According the source, this should be the feature-flag for this.
Hope that helps anyone, that searches a way to disable this warning.
Anyway, it is still a bit greedy to scan the packages and not informing about the exact found match (because if there is a correct number displayed, there must be a matching package).