Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Related tags

Security related resourcescombobulator
Overview

Dependency Combobulator

BHEU BADGE python maintained

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).

Intendend Audiances

The framework can be used by security auditors, pentesters and even baked into an enterprise's application security program and release cycle in an automated fashion.

Main features

  • Pluggable - interject on commit level, build, release steps in SDLC.
  • Expandable - easily add your own package management scheme or code source of choice
  • General-purpose Heuristic-Engine - an abstract package data model provides agnostic heuristic approach
  • Supporting wide range of technologies
  • Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit

Easly exstensible

The project is putting practicionar's ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes and extending the abstract model and accompnaied heuristics engine.

Installation

Dependency Combobulator is ready to work with as it is - just git clone or download the package from https://github.com/apiiro/combobulator

Arguments (--help)

  -h, --help            show this help message and exit
  -t {npm,NuGet,maven}, --type {npm,NuGet,maven}
                        Package Manager Type, i.e: npm, NuGet, maven
  -l LIST_FROM_FILE, --load_list LIST_FROM_FILE
                        Load list of dependencies from a file
  -d FROM_SRC, --directory FROM_SRC
                        Extract dependencies from local source repository
  -p--package SINGLE    Name a single package.
  -c CSV, --csv CSV     Export packages properties onto CSV file
  -gh GITHUB_TOKEN, --github GITHUB_TOKEN
                        GitHub Access Token (Overrides .env file setting)
  -a {compare,comp,heuristics,heur}, --analysis {compare,comp,heuristics,heur}
                        Required analysis level - compare (comp), heuristics
                        (heur) (default: compare)

Apiiro 
   
     Community

Supported package types (-t, --t): npm, maven

Supported source dependency assessment:

  • From file containing the dependency identifiers line-by-line. (-l, --load_list)
  • By analyzing the appropriate repo's software bill-of-materials (e.g. package.json, pom.xml) (-d, --directory)
  • Naming a single identifier (-p, --package)

Analysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, --analysis

Supported output format:

  • Screen stdout (default)
  • CSV export to designated file -(-CSV)

Usage examples

usage-maven.mp4

Credits

The project is maintained and sponsored by Apiiro with 💜

We honor great developers & AppSec practitioners with a passion for change 🙏

Comments
  • installation failed using Python 3.10.4 at Ubuntu 22.04

    installation failed using Python 3.10.4 at Ubuntu 22.04

    System and Python versions

    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy
$ python3 --version
Python 3.10.4

    Installation: (steps for reproduce)

    $ git clone https://github.com/apiiro/combobulator
Cloning into 'combobulator'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (72/72), done.
remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
Resolving deltas: 100% (34/34), done.
$ cd combobulator/
$ virtualenv venv
created virtual environment CPython3.10.4.final.0-64 in 419ms
$ source venv/bin/activate
$ pip install -r requirements.txt
Collecting requests==2.12.1
  Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
Collecting gql==2.0.0
  Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
Collecting python-dotenv==0.19.2
  Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
Collecting six>=1.10.0
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting promise<3,>=2.3
  Using cached promise-2.3-py3-none-any.whl
Collecting graphql-core<3,>=2.3.2
  Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
Collecting rx<2,>=1.6
  Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
$ combobulator --help
combobulator: command not found

    I can't run combobulator directly, I must search python file for this.

    $  find ../combobulator/ -iname combobulato*
../combobulator/
../combobulator/src/combobulator.py
$ python src/combobulator.py --help
Traceback (most recent call last):
  File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
    from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
    import urllib3
ModuleNotFoundError: No module named 'urllib3'

    module urllib3 used, but missed at reqirements. So i install it manually

    $ pip install urllib3
Successfully installed urllib3-1.26.9

    try launch script again

    $ python src/combobulator.py --help
Traceback (most recent call last):
  File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
    import registry.npm as npm
  File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
    import requests
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
    from . import utils
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
    from .cookies import RequestsCookieJar, cookiejar_from_dict
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
    class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
AttributeError: module 'collections' has no attribute 'MutableMapping'
    bug 
    opened by sv-atoslav 2
  • getting issue no module named dotenv in cli following cmds run in readme.md video

    getting issue no module named dotenv in cli following cmds run in readme.md video 

    [email protected]:~/git/combobulator/src
04:29 PM (main=) $ python3 ./combobulator.py --help
Traceback (most recent call last):
  File "/.../combobulator/src/./combobulator.py", line 3, in <module>
    from dotenv import load_dotenv
ModuleNotFoundError: No module named 'dotenv'
    documentation 
    opened by noahehall 2
  • Circular dependency conflict on installation

    Circular dependency conflict on installation

    requirements.txt specifies a pinned version of requests as a dependency requests==2.11.1 however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests requests<3,>=2.12 ![dependency conflict example](https://user-images.githubusercontent.com/47631344/148214910-fb884a6d-d9e4-4e6a-a971-3b7b0d198d5c.png)

    invalid 
    opened by JennyCide 1
  • Safer dependencies collector

    Safer dependencies collector

    some improvements such as using path.join, fix scan source dev and peer dependencies were not analyzed

    related to https://github.com/apiiro/combobulator/issues/21

    opened by efratas 0
  • failed when try launch scan

    failed when try launch scan

    System and Python versions

    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy
$ python3 --version
Python 3.10.4

    steps to reproduse:

    $ cd ~/Downloads
$ git clone https://github.com/clarkio/vulnerable-app.git
Cloning into 'vulnerable-app'...
[...]
Resolving deltas: 100% (237/237), done.
$ git clone https://github.com/stamparm/DSVW.git
Cloning into 'DSVW'...
[...]
Resolving deltas: 100% (68/68), done.
$ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
Cloning into 'VulnerableJavaWebApplication'...
[...]
Resolving deltas: 100% (66/66), done.
    • scan targets:
    $ cd *path_to_combobulator_folder*
$ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported....  ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
Traceback (most recent call last):
  File "combobulator/src/combobulator.py", line 195, in <module>
    main()
  File "combobulator/src/combobulator.py", line 173, in main
    metapkg(x, args.package_type)
  File "combobulator/src/metapackage.py", line 7, in __init__
    if len(pkgname.split(':')) == 2:
AttributeError: 'dict_keys' object has no attribute 'split'

$ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[ERROR]  Selected package type doesn't support import scan.

$ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported....  ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
[PROC] Maven checker engaged.
[ANALYSIS] Package:  spring-boot-starter-web   is present on public provider.
[ANALYSIS] Package:  tomcat-embed-jasper   is present on public provider.
[ANALYSIS] Package:  jstl   is present on public provider.
[ANALYSIS] Package:  spring-jdbc   is present on public provider.
[ANALYSIS] Package:  h2   is present on public provider.

    summary:

    Only java scan are stable. Please, fix it. Also, please, update a readme.md

    triage 
    opened by sv-atoslav 0
  • Introduce a keyword list to mark internal only package scheme

    Introduce a keyword list to mark internal only package scheme

    For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only. That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo

    cc @rotemreiss

    enhancement 
    opened by moshe-apiiro 0
Releases(v1.0.0-rc1)
Owner
Apiiro
Apiiro
GitHub Repository
CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Al1ex 213 Dec 30, 2022
集成crawlergo、xray、dirsearch、nmap等工具的src漏洞挖掘工具,使用docker封装运行;

tools下有几个工具,所以项目文件比较大,如果下载总是中断的话建议拆开下载各个项目然后直接拷贝dockefile和recon.py即可 0x01 hscan介绍 hscan是什么 hscan是一款旨在使用一条命令替代渗透前的多条扫描命令,通过集成crawlergo扫描和xray扫描、dirsear

102 Jan 04, 2023
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022
Send CVE information to the specified mailbox (from Github)

Send CVE information to the specified mailbox (from Github)

91 Nov 08, 2022
cve-2021-21985 exploit

cve-2021-21985 exploit 0x01 漏洞点 分析可见: https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis 0x02 exploit 对beans对象进行重新构

xnianq 105 Nov 22, 2022
🍉一款基于Python-Django的多功能Web安全渗透测试工具,包含漏洞扫描,端口扫描,指纹识别,目录扫描,旁站扫描,域名扫描等功能。

Sec-Tools 项目介绍 系统简介 本项目命名为Sec-Tools,是一款基于 Python-Django 的在线多功能 Web 应用渗透测试系统,包含漏洞检测、目录识别、端口扫描、指纹识别、域名探测、旁站探测、信息泄露检测等功能。本系统通过旁站探测和域名探测功能对待检测网站进行资产收集,通过端

简简 300 Jan 07, 2023
the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

Taroballz 14 Nov 09, 2022
POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL Pre-Auth RCE Injection Vulneralibity.

CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V

antx 9 Aug 31, 2022
Password list generator for password spraying - prebaked with goodies

Generates permutations of Months, Seasons, Years, Sports Teams (NFL, NBA, MLB, NHL), Sports Scores, "Password", and even Iterable Keyspaces of a specified size.

Casey Erdmann 65 Dec 22, 2022
Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Astro 9 Sep 27, 2022
A brute Force tool for Facebook

EliBruter A brute Force tool for Facebook Installing this tool -- $ pkg upgrade && update $ pkg install python $ pkg install python3 $ pkg install gi

Eli Hacks 3 Mar 29, 2022
hackinsta: a program to hack instagram

hackinsta a program to hack instagram Yokoback_(instahack) is the file to open, you need libraries write on import. You run that file in the same fold

1 Dec 04, 2021
macOS persistence tool

PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cy

Cyborg Security, Inc 212 Dec 29, 2022
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Cowrie Welcome to the Cowrie GitHub repository This is the official repository for the Cowrie SSH and Telnet Honeypot effort. What is Cowrie Cowrie is

Cowrie 4.1k Jan 09, 2023
Log4j vuln fuzz/scan with python

Log4jFuzz log4j vuln fuzz/scan USE // it's use localhost udp server to check target vuln. python3 log4jFuzz.py [option] optional arguments: -u URL,

VVzv 3 Dec 22, 2021
Official repository for Pyew.

pyew Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE

Joxean 362 Nov 28, 2022
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

Cycurity 39 Dec 10, 2022
windows电脑查看全部连接过的WiFi密码

python WIFI历史密码查看器 WIFI密码查看器 原理 win+R,输入cmd打开命令行窗口 #这个命令可以列出你所有连接过的wifi netsh wlan show profiles #替换你要查找的WiFi名称,就可以显示出这个wifi的所有信息,包括密码 netsh wlan show

GMYXDS 15 Dec 22, 2022
Just another script for automatize boolean-based blind SQL injections.

SQL Blind Injection Tool A script for automatize boolean-based blind SQL injections. Works with SQLite at least, supports using cookies. It uses bitwi

RIM 51 Dec 15, 2022
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

2.4k Jan 07, 2023