Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Related tags

Security related resourcescombobulator
Overview

Dependency Combobulator

BHEU BADGE python maintained

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).

Intendend Audiances

The framework can be used by security auditors, pentesters and even baked into an enterprise's application security program and release cycle in an automated fashion.

Main features

  • Pluggable - interject on commit level, build, release steps in SDLC.
  • Expandable - easily add your own package management scheme or code source of choice
  • General-purpose Heuristic-Engine - an abstract package data model provides agnostic heuristic approach
  • Supporting wide range of technologies
  • Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit

Easly exstensible

The project is putting practicionar's ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes and extending the abstract model and accompnaied heuristics engine.

Installation

Dependency Combobulator is ready to work with as it is - just git clone or download the package from https://github.com/apiiro/combobulator

Arguments (--help)

  -h, --help            show this help message and exit
  -t {npm,NuGet,maven}, --type {npm,NuGet,maven}
                        Package Manager Type, i.e: npm, NuGet, maven
  -l LIST_FROM_FILE, --load_list LIST_FROM_FILE
                        Load list of dependencies from a file
  -d FROM_SRC, --directory FROM_SRC
                        Extract dependencies from local source repository
  -p--package SINGLE    Name a single package.
  -c CSV, --csv CSV     Export packages properties onto CSV file
  -gh GITHUB_TOKEN, --github GITHUB_TOKEN
                        GitHub Access Token (Overrides .env file setting)
  -a {compare,comp,heuristics,heur}, --analysis {compare,comp,heuristics,heur}
                        Required analysis level - compare (comp), heuristics
                        (heur) (default: compare)

Apiiro 
   
     Community

Supported package types (-t, --t): npm, maven

Supported source dependency assessment:

  • From file containing the dependency identifiers line-by-line. (-l, --load_list)
  • By analyzing the appropriate repo's software bill-of-materials (e.g. package.json, pom.xml) (-d, --directory)
  • Naming a single identifier (-p, --package)

Analysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, --analysis

Supported output format:

  • Screen stdout (default)
  • CSV export to designated file -(-CSV)

Usage examples

usage-maven.mp4

Credits

The project is maintained and sponsored by Apiiro with πŸ’œ

We honor great developers & AppSec practitioners with a passion for change πŸ™

Comments
  • installation failed using Python 3.10.4 at Ubuntu 22.04

    installation failed using Python 3.10.4 at Ubuntu 22.04

    System and Python versions

    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy
$ python3 --version
Python 3.10.4

    Installation: (steps for reproduce)

    $ git clone https://github.com/apiiro/combobulator
Cloning into 'combobulator'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (72/72), done.
remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
Resolving deltas: 100% (34/34), done.
$ cd combobulator/
$ virtualenv venv
created virtual environment CPython3.10.4.final.0-64 in 419ms
$ source venv/bin/activate
$ pip install -r requirements.txt
Collecting requests==2.12.1
  Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
Collecting gql==2.0.0
  Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
Collecting python-dotenv==0.19.2
  Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
Collecting six>=1.10.0
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting promise<3,>=2.3
  Using cached promise-2.3-py3-none-any.whl
Collecting graphql-core<3,>=2.3.2
  Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
Collecting rx<2,>=1.6
  Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
$ combobulator --help
combobulator: command not found

    I can't run combobulator directly, I must search python file for this.

    $  find ../combobulator/ -iname combobulato*
../combobulator/
../combobulator/src/combobulator.py
$ python src/combobulator.py --help
Traceback (most recent call last):
  File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
    from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
    import urllib3
ModuleNotFoundError: No module named 'urllib3'

    module urllib3 used, but missed at reqirements. So i install it manually

    $ pip install urllib3
Successfully installed urllib3-1.26.9

    try launch script again

    $ python src/combobulator.py --help
Traceback (most recent call last):
  File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
    import registry.npm as npm
  File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
    import requests
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
    from . import utils
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
    from .cookies import RequestsCookieJar, cookiejar_from_dict
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
    class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
AttributeError: module 'collections' has no attribute 'MutableMapping'
    bug 
    opened by sv-atoslav 2
  • getting issue no module named dotenv in cli following cmds run in readme.md video

    getting issue no module named dotenv in cli following cmds run in readme.md video 

    [email protected]:~/git/combobulator/src
04:29 PM (main=) $ python3 ./combobulator.py --help
Traceback (most recent call last):
  File "/.../combobulator/src/./combobulator.py", line 3, in <module>
    from dotenv import load_dotenv
ModuleNotFoundError: No module named 'dotenv'
    documentation 
    opened by noahehall 2
  • Circular dependency conflict on installation

    Circular dependency conflict on installation

    requirements.txt specifies a pinned version of requests as a dependency requests==2.11.1 however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests requests<3,>=2.12 ![dependency conflict example](https://user-images.githubusercontent.com/47631344/148214910-fb884a6d-d9e4-4e6a-a971-3b7b0d198d5c.png)

    invalid 
    opened by JennyCide 1
  • Safer dependencies collector

    Safer dependencies collector

    some improvements such as using path.join, fix scan source dev and peer dependencies were not analyzed

    related to https://github.com/apiiro/combobulator/issues/21

    opened by efratas 0
  • failed when try launch scan

    failed when try launch scan

    System and Python versions

    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy
$ python3 --version
Python 3.10.4

    steps to reproduse:

    $ cd ~/Downloads
$ git clone https://github.com/clarkio/vulnerable-app.git
Cloning into 'vulnerable-app'...
[...]
Resolving deltas: 100% (237/237), done.
$ git clone https://github.com/stamparm/DSVW.git
Cloning into 'DSVW'...
[...]
Resolving deltas: 100% (68/68), done.
$ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
Cloning into 'VulnerableJavaWebApplication'...
[...]
Resolving deltas: 100% (66/66), done.
    • scan targets:
    $ cd *path_to_combobulator_folder*
$ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported....  ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
Traceback (most recent call last):
  File "combobulator/src/combobulator.py", line 195, in <module>
    main()
  File "combobulator/src/combobulator.py", line 173, in main
    metapkg(x, args.package_type)
  File "combobulator/src/metapackage.py", line 7, in __init__
    if len(pkgname.split(':')) == 2:
AttributeError: 'dict_keys' object has no attribute 'split'

$ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[ERROR]  Selected package type doesn't support import scan.

$ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported....  ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
[PROC] Maven checker engaged.
[ANALYSIS] Package:  spring-boot-starter-web   is present on public provider.
[ANALYSIS] Package:  tomcat-embed-jasper   is present on public provider.
[ANALYSIS] Package:  jstl   is present on public provider.
[ANALYSIS] Package:  spring-jdbc   is present on public provider.
[ANALYSIS] Package:  h2   is present on public provider.

    summary:

    Only java scan are stable. Please, fix it. Also, please, update a readme.md

    triage 
    opened by sv-atoslav 0
  • Introduce a keyword list to mark internal only package scheme

    Introduce a keyword list to mark internal only package scheme

    For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only. That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo

    cc @rotemreiss

    enhancement 
    opened by moshe-apiiro 0
Releases(v1.0.0-rc1)
Owner
Apiiro
Apiiro
GitHub Repository
Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

EntropyQueen 17 Dec 20, 2021
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

O365DevicePhish Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script t

Trewis [work] Scotch 4 Sep 23, 2022
recover Firefox and more browsers logins

Browser Creds this script will recover saved browsers logins into txt files. It currently only support windows 10. currently support : Chrome Opera Fi

HugoLB 41 Nov 09, 2022
Security system to prevent Shoulder Surfing Attacks

Surf_Sec Security system to prevent Shoulder Surfing Attacks. REQUIREMENTS: Python 3.6+ XAMPP INSTALLED METHOD TO CONFIGURE PROJECT: Clone the repo to

Aman Anand 1 Jan 27, 2022
A Telegram Bot to force users to join a specific channel before sending messages in a group.

Promoter A Telegram Bot to force users to join a specific channel before sending messages in a group. Introduction A Telegram Bot to force users to jo

Mr. Dynamic 1 Jan 27, 2022
Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Astro 9 Sep 27, 2022
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 06, 2022
logmap: Log4j2 jndi injection fuzz tool

logmap - Log4j2 jndi injection fuzz tool Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path Use http

δΉ‹δΉŽθ€…δΉŸ 67 Oct 25, 2022
Docker Compose based system for running remote browsers (including Flash and Java support) connected to web archives

pywb Remote Browsers This repository provides a simple configuration for deploying any pywb with remote browsers provided by OWT/Shepherd Remote Brows

Webrecorder 10 Jul 28, 2022
NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M

NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M

Mr. Error 81 Jan 08, 2023
DNS hijacking via dead records automation tool

DeadDNS Multi-threaded DNS hijacking via dead records automation tool How it works 1) Dig provided subdomains file for dead DNS records. 2) Dig the fo

45 Dec 20, 2022
πŸ” IRIS: An open-source intelligence framework

IRIS is an open-source OSINT framework, consisting of modules to find information about a target by scraping sites and fetching data from APIs.

IRIS 79 Dec 20, 2022
The next level Python obfuscator, nearly impossible to deobfuscate.

🐸 Kramer 🐸 Kramer is a next level obfuscation tool written in Python3 allowing you to obfuscate your Python3 code easily and securely. It uses Berse

Billy 114 Dec 26, 2022
CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Al1ex 213 Dec 30, 2022
neo Tool is great one in binary exploitation topic

neo Tool is great one in binary exploitation topic. instead of doing several missions by many tools and windows, you can now automate this in one tool in one session.. Enjoy it

Hamza Elansari 4 Oct 10, 2022
Python exploit code for CVE-2021-4034 (pwnkit)

Python3 code to exploit CVE-2021-4034 (PWNKIT). This was an exercise in "can I make this work in Python?", and not meant as a robust exploit. It Works

Joe Ammond 92 Dec 29, 2022
This script allows you to make a onion host instantly.

Installation It only works in Debian based Linux distros. Clone the repo: git clone https://github.com/0xStevenson/Auto-Tor-Host.git Go to the direct

Steven 4 Feb 22, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

7.4k Jan 04, 2023
Lite version of my Gatekeeper backdoor for public use.

Gatekeeper Lite Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning

Joe Helle 56 Mar 25, 2022
A python script to brute-force guess the passwords to Instagram accounts

Instagram-Brute-Force The purpose of this script is to brute-force guess the passwords to Instagram accounts. Specifics: Comes with 2 separate modes i

Moondog 2 Nov 16, 2021