Nexus Repository Manager dependency/namespace confusion checker
This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependency Confusion Attack
For example
npm-hosted has packages published with the @mycompany/[email protected]
npm-proxy has a package called @mycompany/[email protected]
This would be a match.
Requirements
- Python3
- NXRM3 OSS or PRO
Instructions
Step 1: Customise values in repo-diff.py
You'll need to modify the script to include
- Auth creds or tokens from your NXRM3.
- URL to your Nexus
- Repositories to compare in REPOS. e.g. to compare ruby and npm hosted to their proxies
REPOS = {
# hosted: proxy
"ruby-hosted": "ruby-proxy",
"npm-hosted": "npm-group-proxy"
}
You'll find examples of all in the script.
Step 2: Create new virtual environment
python3 -m venv my-venv
Step 3: Activate your virtual environment
Do this in your terminal or by using your favorite IDE
Windows
my-venv\Scripts\activate.bat
MacOs *NIX Linux
source my-venv/bin/activate
Step 4: Install dependencies
pip install -r requirements.txt
Step 5: Run script
To run the script simply type - results will be printed out to stdout and can be piped to a file for later use.
python3 repo-diff.py
15 Dec 23, 2022
3.6k Dec 30, 2022
1 Dec 10, 2021
0 Mar 28, 2022
1 Nov 10, 2021
3 Aug 15, 2022
123 Nov 09, 2022
1 Oct 25, 2021
1 Nov 23, 2021
12 Oct 15, 2022
11 May 22, 2022
9 Jun 10, 2022
1 Nov 19, 2021
119 Dec 27, 2022
3 Oct 03, 2022
163 Apr 01, 2022
1 Dec 07, 2021
423 Jan 02, 2023
84 Jan 01, 2023