Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Related tags

Security related resourcescombobulator
Overview

Dependency Combobulator

BHEU BADGE python maintained

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).

Intendend Audiances

The framework can be used by security auditors, pentesters and even baked into an enterprise's application security program and release cycle in an automated fashion.

Main features

  • Pluggable - interject on commit level, build, release steps in SDLC.
  • Expandable - easily add your own package management scheme or code source of choice
  • General-purpose Heuristic-Engine - an abstract package data model provides agnostic heuristic approach
  • Supporting wide range of technologies
  • Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit

Easly exstensible

The project is putting practicionar's ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes and extending the abstract model and accompnaied heuristics engine.

Installation

Dependency Combobulator is ready to work with as it is - just git clone or download the package from https://github.com/apiiro/combobulator

Arguments (--help)

  -h, --help            show this help message and exit
  -t {npm,NuGet,maven}, --type {npm,NuGet,maven}
                        Package Manager Type, i.e: npm, NuGet, maven
  -l LIST_FROM_FILE, --load_list LIST_FROM_FILE
                        Load list of dependencies from a file
  -d FROM_SRC, --directory FROM_SRC
                        Extract dependencies from local source repository
  -p--package SINGLE    Name a single package.
  -c CSV, --csv CSV     Export packages properties onto CSV file
  -gh GITHUB_TOKEN, --github GITHUB_TOKEN
                        GitHub Access Token (Overrides .env file setting)
  -a {compare,comp,heuristics,heur}, --analysis {compare,comp,heuristics,heur}
                        Required analysis level - compare (comp), heuristics
                        (heur) (default: compare)

Apiiro 
   
     Community

Supported package types (-t, --t): npm, maven

Supported source dependency assessment:

  • From file containing the dependency identifiers line-by-line. (-l, --load_list)
  • By analyzing the appropriate repo's software bill-of-materials (e.g. package.json, pom.xml) (-d, --directory)
  • Naming a single identifier (-p, --package)

Analysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, --analysis

Supported output format:

  • Screen stdout (default)
  • CSV export to designated file -(-CSV)

Usage examples

usage-maven.mp4

Credits

The project is maintained and sponsored by Apiiro with 💜

We honor great developers & AppSec practitioners with a passion for change 🙏

Comments
  • installation failed using Python 3.10.4 at Ubuntu 22.04

    installation failed using Python 3.10.4 at Ubuntu 22.04

    System and Python versions

    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy
$ python3 --version
Python 3.10.4

    Installation: (steps for reproduce)

    $ git clone https://github.com/apiiro/combobulator
Cloning into 'combobulator'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (72/72), done.
remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
Resolving deltas: 100% (34/34), done.
$ cd combobulator/
$ virtualenv venv
created virtual environment CPython3.10.4.final.0-64 in 419ms
$ source venv/bin/activate
$ pip install -r requirements.txt
Collecting requests==2.12.1
  Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
Collecting gql==2.0.0
  Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
Collecting python-dotenv==0.19.2
  Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
Collecting six>=1.10.0
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting promise<3,>=2.3
  Using cached promise-2.3-py3-none-any.whl
Collecting graphql-core<3,>=2.3.2
  Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
Collecting rx<2,>=1.6
  Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
$ combobulator --help
combobulator: command not found

    I can't run combobulator directly, I must search python file for this.

    $  find ../combobulator/ -iname combobulato*
../combobulator/
../combobulator/src/combobulator.py
$ python src/combobulator.py --help
Traceback (most recent call last):
  File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
    from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
    import urllib3
ModuleNotFoundError: No module named 'urllib3'

    module urllib3 used, but missed at reqirements. So i install it manually

    $ pip install urllib3
Successfully installed urllib3-1.26.9

    try launch script again

    $ python src/combobulator.py --help
Traceback (most recent call last):
  File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
    import registry.npm as npm
  File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
    import requests
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
    from . import utils
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
    from .cookies import RequestsCookieJar, cookiejar_from_dict
  File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
    class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
AttributeError: module 'collections' has no attribute 'MutableMapping'
    bug 
    opened by sv-atoslav 2
  • getting issue no module named dotenv in cli following cmds run in readme.md video

    getting issue no module named dotenv in cli following cmds run in readme.md video 

    [email protected]:~/git/combobulator/src
04:29 PM (main=) $ python3 ./combobulator.py --help
Traceback (most recent call last):
  File "/.../combobulator/src/./combobulator.py", line 3, in <module>
    from dotenv import load_dotenv
ModuleNotFoundError: No module named 'dotenv'
    documentation 
    opened by noahehall 2
  • Circular dependency conflict on installation

    Circular dependency conflict on installation

    requirements.txt specifies a pinned version of requests as a dependency requests==2.11.1 however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests requests<3,>=2.12 ![dependency conflict example](https://user-images.githubusercontent.com/47631344/148214910-fb884a6d-d9e4-4e6a-a971-3b7b0d198d5c.png)

    invalid 
    opened by JennyCide 1
  • Safer dependencies collector

    Safer dependencies collector

    some improvements such as using path.join, fix scan source dev and peer dependencies were not analyzed

    related to https://github.com/apiiro/combobulator/issues/21

    opened by efratas 0
  • failed when try launch scan

    failed when try launch scan

    System and Python versions

    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy
$ python3 --version
Python 3.10.4

    steps to reproduse:

    $ cd ~/Downloads
$ git clone https://github.com/clarkio/vulnerable-app.git
Cloning into 'vulnerable-app'...
[...]
Resolving deltas: 100% (237/237), done.
$ git clone https://github.com/stamparm/DSVW.git
Cloning into 'DSVW'...
[...]
Resolving deltas: 100% (68/68), done.
$ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
Cloning into 'VulnerableJavaWebApplication'...
[...]
Resolving deltas: 100% (66/66), done.
    • scan targets:
    $ cd *path_to_combobulator_folder*
$ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported....  ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
Traceback (most recent call last):
  File "combobulator/src/combobulator.py", line 195, in <module>
    main()
  File "combobulator/src/combobulator.py", line 173, in main
    metapkg(x, args.package_type)
  File "combobulator/src/metapackage.py", line 7, in __init__
    if len(pkgname.split(':')) == 2:
AttributeError: 'dict_keys' object has no attribute 'split'

$ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[ERROR]  Selected package type doesn't support import scan.

$ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
  ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
 |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
 | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
 | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
 |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
   ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
  / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
 | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
 | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
  \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported....  ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
[PROC] Maven checker engaged.
[ANALYSIS] Package:  spring-boot-starter-web   is present on public provider.
[ANALYSIS] Package:  tomcat-embed-jasper   is present on public provider.
[ANALYSIS] Package:  jstl   is present on public provider.
[ANALYSIS] Package:  spring-jdbc   is present on public provider.
[ANALYSIS] Package:  h2   is present on public provider.

    summary:

    Only java scan are stable. Please, fix it. Also, please, update a readme.md

    triage 
    opened by sv-atoslav 0
  • Introduce a keyword list to mark internal only package scheme

    Introduce a keyword list to mark internal only package scheme

    For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only. That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo

    cc @rotemreiss

    enhancement 
    opened by moshe-apiiro 0
Releases(v1.0.0-rc1)
Owner
Apiiro
Apiiro
GitHub Repository
SQLi Google Dork Scanner (new version)

XGDork² - ViraX Google Dork Scanner SQLi Google Dork Scanner by ViraX @ 2021 for Python 2.7 - compatible Android(NoRoot) - Termux A simple 'naive' pyt

8 Dec 20, 2022
Fuzzercorn - Bring libfuzzer to Unicorn

Fuzzercorn libfuzzer bindings for Unicorn. API // The main entry point of the fu

lazymio 23 Nov 17, 2022
Fast and easy way to rollout on multiple GitLab project file a particular content.

Volatile Fast and easy way to rollout on multiple GitLab project file a particular content. Why ? After looking for a tool to simply enforce a develop

Lujeni 4 Jan 17, 2022
NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat

NoSecerets NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat How does it work? Instead of taking

DosentTrust GithubDatabase 9 Jul 04, 2022
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

Cracker 331 Jan 01, 2023
StarUML cracker - StarUML cracker With Python

StarUML_cracker Usage On Linux Clone the repo. git clone https://github.com/mana

Bibek Manandhar 9 Jun 20, 2022
HTTP security headers for Flask

Talisman: HTTP security headers for Flask Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few co

Google Cloud Platform 854 Dec 30, 2022
A python script written for lazy people to hack their school systen ;D

F-ck-the-system A python script written for lazy people to hack their school systen ;D Python voice notes writer This is a python script to record you

Sachit 2 Jan 09, 2022
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

PyLaboratory 0 Feb 07, 2022
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

6 May 17, 2022
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

Mystic 2 Aug 31, 2022
Apache Solr SSRF(CVE-2021-27905)

Solr-SSRF Apache Solr SSRF #Use [-] Apache Solr SSRF漏洞 (CVE-2021-27905) [-] Options: -h or --help : 方法说明 -u or --url

Henry4E36 70 Nov 09, 2022
For educational purposes only. (Uzbek Edition)

DISCLAIMER 💣 Ushbu skriptdagi materiallar bilan bog'liq har qanday xatti-harakatlar faqat sizning javobgarligingizdir. Ushbu skriptdagi ma'lumotlarda

Husniddin Murodov 1 Feb 12, 2022
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

258 Jan 02, 2023
Malware for Discord, designed to steal passwords, tokens, and inject discord folders for long-term use.

Vital What is Vital? Vital is malware primarily used to collect and extract information from the Discord desktop client. While it has other features (

HellSec 59 Dec 01, 2022
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Ryan 5 Sep 12, 2022
This is a js front-end encryption blasting account and password tools

Author:0xAXSDD By Gamma安全实验室 version:1.0 explain:这是一款用户绕过前端js加密进行密码爆破的工具,你无需在意js加密的细节,只需要输入你想要爆破url,以及username输入框的classname,password输入框的clas

75 Nov 25, 2022
GDID (Google Dorks for Information Disclosure)

GDID (Google Dorks for Information Disclosure) Script made for your recon automation in Bug Bounty or Pentest. It will help you to find Information Di

Nischacid 5 Mar 10, 2022
Hack computer in the form of RAR files from all types of clients, even Linux

Program Features 📌 Hide malware 📌 Vulnerability software vulnerabilities RAR 📌 Creating malware 📌 Access client files 📌 Client Hacking 📌 Link Do

hack4lx 5 Nov 25, 2022
SARA - Simple Android Ransomware Attack

SARA - Simple Android Ransomware Attack Disclaimer The author is not responsible for any issues or damage caused by this program. Features User can cu

Termux Hackers 99 Jan 04, 2023