Outgoing Data

Question

Outgoing Data

ProjectMutilation opened this issue 3 years ago · comments

Hi, guys

After updating the list of vulnerabilities from the OSS Index, I saw the outgoing application data to the Sonatype.
Can you tell what kind of data is being transferred?

Thank you in advance for your response

Dan Rollo · Answer 1 · Thu Feb 04 2021 00:11:51 GMT+0800 (China Standard Time)

Can you provide more information? What URL was being contacted?

What was the command line you executed?

Is there any info in the logs?

Maxim Korotkov · Answer 2 · Thu Feb 04 2021 19:21:22 GMT+0800 (China Standard Time)

@bhamail I was running Docker with command "go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth"
Network traffic was intercepted by wireshark.
The traffic dump contains outgoing TCP and TLS packets directed to the ip address to which the request is made when connecting

Dan Rollo · Answer 3 · Fri Feb 05 2021 00:23:59 GMT+0800 (China Standard Time)

@ProjectMutilation OK, that helps. The list of packages to be audited (purls) is sent to OSSIndex. If the list is long, the requests to OSSI are broken up into chunks of 128 at a time. No other connections are made during an audit.

The first time you run nancy in a given day, a connection is made to GitHub to check if a new release of nancy is available. A timestamp of this check is saved, so this would only happen once every 28 hours.

Other than the above, there are no other connections made.

I'd be happy to scour your logs to see if there are any other hints about what you're seeing, but I see no other connections being made in the code.

Maxim Korotkov · Answer 4 · Mon Feb 08 2021 19:46:28 GMT+0800 (China Standard Time)

@bhamail thanks for your answer
This is what I needed to know. Unfortunately, the company's policy does not allow the transfer of any data outside.

Dan Rollo · Answer 5 · Tue Feb 09 2021 00:37:08 GMT+0800 (China Standard Time)

@ProjectMutilation Aha! I think I see the issue. After our comments and a closer reading of you original post, I noticed the phrase: "After updating the list of vulnerabilities from the OSS Index". I think packed in there is an assumption that the locally cached data is "all" the vulnerabilities (rather than just "your apps vulnerabilities").

At a high level, we cannot cache "all" vulnerabilities for "all" components locally, as this would be terabytes of data. We send OSSI a list of dependencies used by your app, and we locally cache the vulnerability data for only the dependencies in that list.

I don't see how we could avoid sending "a list of dependencies used by your app". I'm open to new ideas.

Dan Rollo · Answer 6 · Thu Feb 11 2021 05:10:55 GMT+0800 (China Standard Time)

@ProjectMutilation One more thought (that I should have had days ago): Sonatype sells a paid solution that could comply with your company's policies: Nexus Lifecycle