Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Overview

Dependency Combobulator

BHEU BADGE python maintained

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).

Intendend Audiances

The framework can be used by security auditors, pentesters and even baked into an enterprise's application security program and release cycle in an automated fashion.

Main features

  • Pluggable - interject on commit level, build, release steps in SDLC.
  • Expandable - easily add your own package management scheme or code source of choice
  • General-purpose Heuristic-Engine - an abstract package data model provides agnostic heuristic approach
  • Supporting wide range of technologies
  • Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit

Easly exstensible

The project is putting practicionar's ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes and extending the abstract model and accompnaied heuristics engine.

Installation

Dependency Combobulator is ready to work with as it is - just git clone or download the package from https://github.com/apiiro/combobulator

Arguments (--help)

  -h, --help            show this help message and exit
  -t {npm,NuGet,maven}, --type {npm,NuGet,maven}
                        Package Manager Type, i.e: npm, NuGet, maven
  -l LIST_FROM_FILE, --load_list LIST_FROM_FILE
                        Load list of dependencies from a file
  -d FROM_SRC, --directory FROM_SRC
                        Extract dependencies from local source repository
  -p--package SINGLE    Name a single package.
  -c CSV, --csv CSV     Export packages properties onto CSV file
  -gh GITHUB_TOKEN, --github GITHUB_TOKEN
                        GitHub Access Token (Overrides .env file setting)
  -a {compare,comp,heuristics,heur}, --analysis {compare,comp,heuristics,heur}
                        Required analysis level - compare (comp), heuristics
                        (heur) (default: compare)

Apiiro 
   
     Community

   

Supported package types (-t, --t): npm, maven

Supported source dependency assessment:

  • From file containing the dependency identifiers line-by-line. (-l, --load_list)
  • By analyzing the appropriate repo's software bill-of-materials (e.g. package.json, pom.xml) (-d, --directory)
  • Naming a single identifier (-p, --package)

Analysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, --analysis

Supported output format:

  • Screen stdout (default)
  • CSV export to designated file -(-CSV)

Usage examples

usage-maven.mp4

Credits

The project is maintained and sponsored by Apiiro with 💜

We honor great developers & AppSec practitioners with a passion for change 🙏

Comments
  • installation failed using Python 3.10.4 at Ubuntu 22.04

    installation failed using Python 3.10.4 at Ubuntu 22.04

    System and Python versions

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 22.04 LTS
    Release:	22.04
    Codename:	jammy
    $ python3 --version
    Python 3.10.4
    

    Installation: (steps for reproduce)

    $ git clone https://github.com/apiiro/combobulator
    Cloning into 'combobulator'...
    remote: Enumerating objects: 85, done.
    remote: Counting objects: 100% (85/85), done.
    remote: Compressing objects: 100% (72/72), done.
    remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
    Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
    Resolving deltas: 100% (34/34), done.
    $ cd combobulator/
    $ virtualenv venv
    created virtual environment CPython3.10.4.final.0-64 in 419ms
    $ source venv/bin/activate
    $ pip install -r requirements.txt
    Collecting requests==2.12.1
      Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
    Collecting gql==2.0.0
      Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
    Collecting python-dotenv==0.19.2
      Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
    Collecting six>=1.10.0
      Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
    Collecting promise<3,>=2.3
      Using cached promise-2.3-py3-none-any.whl
    Collecting graphql-core<3,>=2.3.2
      Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
    Collecting rx<2,>=1.6
      Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
    Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
    Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
    $ combobulator --help
    combobulator: command not found
    

    I can't run combobulator directly, I must search python file for this.

    $  find ../combobulator/ -iname combobulato*
    ../combobulator/
    ../combobulator/src/combobulator.py
    $ python src/combobulator.py --help
    Traceback (most recent call last):
      File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
        from collections import Mapping, MutableMapping
    ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
        import urllib3
    ModuleNotFoundError: No module named 'urllib3'
    

    module urllib3 used, but missed at reqirements. So i install it manually

    $ pip install urllib3
    Successfully installed urllib3-1.26.9
    

    try launch script again

    $ python src/combobulator.py --help
    Traceback (most recent call last):
      File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
        import registry.npm as npm
      File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
        import requests
      File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
        from . import utils
      File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
        from .cookies import RequestsCookieJar, cookiejar_from_dict
      File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
        class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
    AttributeError: module 'collections' has no attribute 'MutableMapping'
    
    bug 
    opened by sv-atoslav 2
  • getting issue no module named dotenv in cli following cmds run in readme.md video

    getting issue no module named dotenv in cli following cmds run in readme.md video

    [email protected]:~/git/combobulator/src
    04:29 PM (main=) $ python3 ./combobulator.py --help
    Traceback (most recent call last):
      File "/.../combobulator/src/./combobulator.py", line 3, in <module>
        from dotenv import load_dotenv
    ModuleNotFoundError: No module named 'dotenv'
    
    
    
    documentation 
    opened by noahehall 2
  • Circular dependency conflict on installation

    Circular dependency conflict on installation

    requirements.txt specifies a pinned version of requests as a dependency requests==2.11.1 however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests requests<3,>=2.12 ![dependency conflict example](https://user-images.githubusercontent.com/47631344/148214910-fb884a6d-d9e4-4e6a-a971-3b7b0d198d5c.png)

    invalid 
    opened by JennyCide 1
  • Safer dependencies collector

    Safer dependencies collector

    some improvements such as using path.join, fix scan source dev and peer dependencies were not analyzed

    related to https://github.com/apiiro/combobulator/issues/21

    opened by efratas 0
  • failed when try launch scan

    failed when try launch scan

    System and Python versions

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 22.04 LTS
    Release:	22.04
    Codename:	jammy
    $ python3 --version
    Python 3.10.4
    

    steps to reproduse:

    $ cd ~/Downloads
    $ git clone https://github.com/clarkio/vulnerable-app.git
    Cloning into 'vulnerable-app'...
    [...]
    Resolving deltas: 100% (237/237), done.
    $ git clone https://github.com/stamparm/DSVW.git
    Cloning into 'DSVW'...
    [...]
    Resolving deltas: 100% (68/68), done.
    $ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
    Cloning into 'VulnerableJavaWebApplication'...
    [...]
    Resolving deltas: 100% (66/66), done.
    
    • scan targets:
    $ cd *path_to_combobulator_folder*
    $ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
      ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
     |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
     | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
     | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
     |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
       ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
      / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
     | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
     | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
      \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
    [PROC] Arguments parsed.
    [PROC] Package list imported....  ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
    Traceback (most recent call last):
      File "combobulator/src/combobulator.py", line 195, in <module>
        main()
      File "combobulator/src/combobulator.py", line 173, in main
        metapkg(x, args.package_type)
      File "combobulator/src/metapackage.py", line 7, in __init__
        if len(pkgname.split(':')) == 2:
    AttributeError: 'dict_keys' object has no attribute 'split'
    
    $ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
      ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
     |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
     | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
     | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
     |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
       ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
      / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
     | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
     | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
      \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
    [PROC] Arguments parsed.
    [ERROR]  Selected package type doesn't support import scan.
    
    $ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
      ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
     |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
     | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
     | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
     |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
       ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
      / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
     | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
     | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
      \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
    [PROC] Arguments parsed.
    [PROC] Package list imported....  ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
    [PROC] Maven checker engaged.
    [ANALYSIS] Package:  spring-boot-starter-web   is present on public provider.
    [ANALYSIS] Package:  tomcat-embed-jasper   is present on public provider.
    [ANALYSIS] Package:  jstl   is present on public provider.
    [ANALYSIS] Package:  spring-jdbc   is present on public provider.
    [ANALYSIS] Package:  h2   is present on public provider.
    

    summary:

    Only java scan are stable. Please, fix it. Also, please, update a readme.md

    triage 
    opened by sv-atoslav 0
  • Introduce a keyword list to mark internal only package scheme

    Introduce a keyword list to mark internal only package scheme

    For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only. That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo

    cc @rotemreiss

    enhancement 
    opened by moshe-apiiro 0
Releases(v1.0.0-rc1)
Owner
Apiiro
Apiiro
This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device

f5-waf-enforce-sigs-CVE-2021-44228 This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device Overview This script enforce

Ismael Gonçalves 5 Mar 31, 2022
This program will brute force any Instagram account you send it its way given a list of proxies.

Instagram Bruter This program will brute force any Instagram account you send it its way given a list of proxies. NOTICE I'm no longer maintaining thi

1 Nov 15, 2021
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
A dynamic multi-STL, multi-process OpenSCAD build system with autoplating support

scad-build This is a multi-STL OpenSCAD build system based around GNU make. It supports dynamic build targets, intelligent previews with user-defined

Jordan Mulcahey 1 Dec 21, 2021
Just another script for automatize boolean-based blind SQL injections.

SQL Blind Injection Tool A script for automatize boolean-based blind SQL injections. Works with SQLite at least, supports using cookies. It uses bitwi

RIM 51 Dec 15, 2022
Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for

Black Lantern Security 35 Oct 25, 2022
PrivateRoom - Make your work private by building a system using arduino which instantly kills a program when someone enters your room/cabin

privateRoom Make your work private by building a system using arduino which instantly kills a program when someone enters your room/cabin STEPS: Uploa

Divyanshu Kumar 3 Nov 08, 2022
CVE-2021-21972

CVE-2021-21972 % python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e [*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authoriz

Keith Lee 30 Nov 19, 2022
A semi-automatic osint/recon framework.

Smog Framework A semi-automatic osint/recon framework. Requirements git Python = 3.8 How to use it

toast 22 Oct 17, 2022
Um keylogger que se disfarça de um app que tira print da tela.

Keylogger_ Um keylogger que se disfarça de um app que tira print da tela. Este programa captura o print da tela e salva ,normalmente, na pasta Picture

Marcus Vinícius Ribeiro Andrade 1 Dec 03, 2021
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
A Burp Pro extension that adds log4shell checks to Burp Scanner

scan4log4shell A Burp Pro extension that adds log4shell checks to Burp Scanner, written by Daniel Crowley of IBM X-Force Red. Installation To install

X-Force Red 26 Mar 15, 2022
💣 Bomb Crypto Bot 💣

💣 Bomb Crypto Bot 💣 ⚠️ Warning I am not responsible for any penalties incurred by those who use the bot, use it at your own risk. 📄 Documentation -

Matheus Benites 4 Apr 27, 2022
TCP/UDP port scanner on python, usong scapy and multiprocessin

Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR

Egor Krokhin 1 Dec 05, 2021
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible

CRACKER911181 1 Jan 10, 2022
Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3

Shortlink-Bypass Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3 Support Shortlink tii.ai/tei.

Wan Naz ID 6 Oct 24, 2022
Phoenix Framework is an environment for writing, testing and using exploit code.

Phoenix-Framework Phoenix Framework is an environment for writing, testing and using exploit code. 🖼 Screenshots 🎪 Community PwnWiki Forums 🔑 Licen

Felix 42 Aug 09, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

2 Nov 09, 2022
ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound.

ADExplorerSnapshot.py ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound. AD Explorer allows you to connect to a DC and browse L

576 Dec 23, 2022