Skip to content

Yaniv-git/dependency-confusion-scanner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Dependency confusion scanner

This small repo is meant to scan Github's repositories for potential Dependency confusion vulnerabilities.

It scans for packages in:

  • Nuget
    • *.csproj
    • packages.config
  • Maven
    • *pom.xml
    • build.gradle
  • Packagist
    • composer.lock
    • composer.json
  • Pypi
    • requirements.txt
  • NPM
    • package-lock.json
    • package.json

How it works

Simply fetches the relevant files for each package manager, parse it, and check if the package exists publicly. Additionally, it will warn if a detected public package includes 999 or 9.9.9 in the package version (for already exploited dependency confusion)

setup

Create a github_access_token file and add you Github's api token to it (this way it could also have access to private repos).

run

In order to run the script simply state an organization and scan all the repos in it (with option to exclude_repos)

    scanner = OrganizationScanner("SonarSource")
    scanner.scan_all_repos()

Or scan a specific repo

    scanner = OrganizationScanner()
    scanner.scan_repo("ndleah/python-mini-project")

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages