combobulator: detect and prevent dependency confusion leakage and potential attacks

by do son ·

Dependency Combobulator

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).

Intendend Audiances

The framework can be used by security auditors, pentesters, and even baked into an enterprise’s application security program and release cycle in an automated fashion.

Main features

  • Pluggable – interject on commit level, build, release steps in SDLC.
  • Expandable – easily add your own package management scheme or code source of choice
  • General-purpose Heuristic-Engine – an abstract package data model provides an agnostic heuristic approach
  • Supporting wide range of technologies
  • Flexible – decision trees can be determined upon insights or verdicts provided by the toolkit

Easily extensible

The project is putting practicionar’s ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes, and extending the abstract model and accompanied heuristics engine.

Install

python3 -m pip install python-dotenv gql argparse
git clone https://github.com/apiiro/combobulator.git

Use

Supported package types (-t, –t): npm, maven

Supported source dependency assessment:

  • From file containing the dependency identifiers line-by-line. (-l, –load_list)
  • By analyzing the appropriate repo’s software bill-of-materials (e.g. package.json, pom.xml) (-d, –directory)
  • Naming a single identifier (-p, –package)

Analysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, –analysis

Supported output format:

  • Screen stdout (default)
  • CSV export to designated file -(-CSV)

Copyright (C) 2021 moshe-apiiro 

Source: https://github.com/apiiro/

Tags: combobulator