0

in company where I am working we are starting to use artifactory like tool of repositories managment, and then I'm reading the user guide of this tool. We started in the configuration creating a virtual repository, a few local and remote repositories. On the use guide i found the following thing:

Prevent disclosing sensitive business information derived from your artifact queries to whomever can intercept the queries, including the owners of the remote repository itself.

I saw that this could be avoided through

exclude pattern

functionality on the virtual repository. Can you give us some suggestion about this? What kinds of request we should avoided to do?

4

1 回答 1

1

您应该避免将内部工件的请求发送到远程存储库(直接或通过虚拟)。当项目依赖于内部库或在模块相互依赖的多模块项目中时,可能会发生这种情况。使用虚拟存储库时,Artifactory 将始终首先在本地存储库中搜索此类工件。但是,如果有人要求的版本错误或工件名称中有拼写错误,则不会在本地存储库中找到该工件,并且 Artifactory 将尝试在此虚拟配置的远程存储库中查找它。

为避免如上所述暴露敏感业务信息,我们强烈建议采用以下最佳做法:

  • 组织中使用的远程存储库列表应在所有请求都指向的单个虚拟存储库下进行管理
  • 所有内部工件都应在虚拟存储库(或每个远程存储库)的“排除模式”字段中指定,使用通配符来封装尽可能广泛的内部工件规范。

假设您的所有项目/模块都使用某种命名空间,例如com.mycompany,您可以为该命名空间下的工件配置排除模式com/mycompany/**

有关更多信息,请查看使用排除模式避免安全风险

于 2014-03-29T17:48:08.483 回答