bhamail
commented
3 years ago Can you provide more information? What URL was being contacted?
What was the command line you executed?
Is there any info in the logs?
Closed ProjectMutilation closed 3 years ago
bhamail
commented
3 years ago Can you provide more information? What URL was being contacted?
What was the command line you executed?
Is there any info in the logs?
ProjectMutilation
commented
3 years ago @bhamail I was running Docker with command "go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth" Network traffic was intercepted by wireshark. The traffic dump contains outgoing TCP and TLS packets directed to the ip address to which the request is made when connecting
bhamail
commented
3 years ago @ProjectMutilation OK, that helps. The list of packages to be audited (purls) is sent to OSSIndex. If the list is long, the requests to OSSI are broken up into chunks of 128 at a time. No other connections are made during an audit.
The first time you run nancy in a given day, a connection is made to GitHub to check if a new release of nancy is available. A timestamp of this check is saved, so this would only happen once every 28 hours.
Other than the above, there are no other connections made.
I'd be happy to scour your logs to see if there are any other hints about what you're seeing, but I see no other connections being made in the code.
ProjectMutilation
commented
3 years ago @bhamail thanks for your answer This is what I needed to know. Unfortunately, the company's policy does not allow the transfer of any data outside.
bhamail
commented
3 years ago @ProjectMutilation Aha! I think I see the issue. After our comments and a closer reading of you original post, I noticed the phrase: "After updating the list of vulnerabilities from the OSS Index". I think packed in there is an assumption that the locally cached data is "all" the vulnerabilities (rather than just "your apps vulnerabilities").
At a high level, we cannot cache "all" vulnerabilities for "all" components locally, as this would be terabytes of data. We send OSSI a list of dependencies used by your app, and we locally cache the vulnerability data for only the dependencies in that list.
I don't see how we could avoid sending "a list of dependencies used by your app". I'm open to new ideas.
bhamail
commented
3 years ago @ProjectMutilation One more thought (that I should have had days ago): Sonatype sells a paid solution that could comply with your company's policies: Nexus Lifecycle
Hi, guys
After updating the list of vulnerabilities from the OSS Index, I saw the outgoing application data to the Sonatype. Can you tell what kind of data is being transferred?
Thank you in advance for your response