Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Overview

Dependency Combobulator

BHEU BADGE python maintained

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).

Intendend Audiances

The framework can be used by security auditors, pentesters and even baked into an enterprise's application security program and release cycle in an automated fashion.

Main features

  • Pluggable - interject on commit level, build, release steps in SDLC.
  • Expandable - easily add your own package management scheme or code source of choice
  • General-purpose Heuristic-Engine - an abstract package data model provides agnostic heuristic approach
  • Supporting wide range of technologies
  • Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit

Easly exstensible

The project is putting practicionar's ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes and extending the abstract model and accompnaied heuristics engine.

Installation

Dependency Combobulator is ready to work with as it is - just git clone or download the package from https://github.com/apiiro/combobulator

Arguments (--help)

  -h, --help            show this help message and exit
  -t {npm,NuGet,maven}, --type {npm,NuGet,maven}
                        Package Manager Type, i.e: npm, NuGet, maven
  -l LIST_FROM_FILE, --load_list LIST_FROM_FILE
                        Load list of dependencies from a file
  -d FROM_SRC, --directory FROM_SRC
                        Extract dependencies from local source repository
  -p--package SINGLE    Name a single package.
  -c CSV, --csv CSV     Export packages properties onto CSV file
  -gh GITHUB_TOKEN, --github GITHUB_TOKEN
                        GitHub Access Token (Overrides .env file setting)
  -a {compare,comp,heuristics,heur}, --analysis {compare,comp,heuristics,heur}
                        Required analysis level - compare (comp), heuristics
                        (heur) (default: compare)

Apiiro 
   
     Community

   

Supported package types (-t, --t): npm, maven

Supported source dependency assessment:

  • From file containing the dependency identifiers line-by-line. (-l, --load_list)
  • By analyzing the appropriate repo's software bill-of-materials (e.g. package.json, pom.xml) (-d, --directory)
  • Naming a single identifier (-p, --package)

Analysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, --analysis

Supported output format:

  • Screen stdout (default)
  • CSV export to designated file -(-CSV)

Usage examples

usage-maven.mp4

Credits

The project is maintained and sponsored by Apiiro with 💜

We honor great developers & AppSec practitioners with a passion for change 🙏

Comments
  • installation failed using Python 3.10.4 at Ubuntu 22.04

    installation failed using Python 3.10.4 at Ubuntu 22.04

    System and Python versions

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 22.04 LTS
    Release:	22.04
    Codename:	jammy
    $ python3 --version
    Python 3.10.4
    

    Installation: (steps for reproduce)

    $ git clone https://github.com/apiiro/combobulator
    Cloning into 'combobulator'...
    remote: Enumerating objects: 85, done.
    remote: Counting objects: 100% (85/85), done.
    remote: Compressing objects: 100% (72/72), done.
    remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
    Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
    Resolving deltas: 100% (34/34), done.
    $ cd combobulator/
    $ virtualenv venv
    created virtual environment CPython3.10.4.final.0-64 in 419ms
    $ source venv/bin/activate
    $ pip install -r requirements.txt
    Collecting requests==2.12.1
      Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
    Collecting gql==2.0.0
      Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
    Collecting python-dotenv==0.19.2
      Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
    Collecting six>=1.10.0
      Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
    Collecting promise<3,>=2.3
      Using cached promise-2.3-py3-none-any.whl
    Collecting graphql-core<3,>=2.3.2
      Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
    Collecting rx<2,>=1.6
      Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
    Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
    Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
    $ combobulator --help
    combobulator: command not found
    

    I can't run combobulator directly, I must search python file for this.

    $  find ../combobulator/ -iname combobulato*
    ../combobulator/
    ../combobulator/src/combobulator.py
    $ python src/combobulator.py --help
    Traceback (most recent call last):
      File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
        from collections import Mapping, MutableMapping
    ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
        import urllib3
    ModuleNotFoundError: No module named 'urllib3'
    

    module urllib3 used, but missed at reqirements. So i install it manually

    $ pip install urllib3
    Successfully installed urllib3-1.26.9
    

    try launch script again

    $ python src/combobulator.py --help
    Traceback (most recent call last):
      File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
        import registry.npm as npm
      File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
        import requests
      File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
        from . import utils
      File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
        from .cookies import RequestsCookieJar, cookiejar_from_dict
      File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
        class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
    AttributeError: module 'collections' has no attribute 'MutableMapping'
    
    bug 
    opened by sv-atoslav 2
  • getting issue no module named dotenv in cli following cmds run in readme.md video

    getting issue no module named dotenv in cli following cmds run in readme.md video

    [email protected]:~/git/combobulator/src
    04:29 PM (main=) $ python3 ./combobulator.py --help
    Traceback (most recent call last):
      File "/.../combobulator/src/./combobulator.py", line 3, in <module>
        from dotenv import load_dotenv
    ModuleNotFoundError: No module named 'dotenv'
    
    
    
    documentation 
    opened by noahehall 2
  • Circular dependency conflict on installation

    Circular dependency conflict on installation

    requirements.txt specifies a pinned version of requests as a dependency requests==2.11.1 however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests requests<3,>=2.12 ![dependency conflict example](https://user-images.githubusercontent.com/47631344/148214910-fb884a6d-d9e4-4e6a-a971-3b7b0d198d5c.png)

    invalid 
    opened by JennyCide 1
  • Safer dependencies collector

    Safer dependencies collector

    some improvements such as using path.join, fix scan source dev and peer dependencies were not analyzed

    related to https://github.com/apiiro/combobulator/issues/21

    opened by efratas 0
  • failed when try launch scan

    failed when try launch scan

    System and Python versions

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 22.04 LTS
    Release:	22.04
    Codename:	jammy
    $ python3 --version
    Python 3.10.4
    

    steps to reproduse:

    $ cd ~/Downloads
    $ git clone https://github.com/clarkio/vulnerable-app.git
    Cloning into 'vulnerable-app'...
    [...]
    Resolving deltas: 100% (237/237), done.
    $ git clone https://github.com/stamparm/DSVW.git
    Cloning into 'DSVW'...
    [...]
    Resolving deltas: 100% (68/68), done.
    $ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
    Cloning into 'VulnerableJavaWebApplication'...
    [...]
    Resolving deltas: 100% (66/66), done.
    
    • scan targets:
    $ cd *path_to_combobulator_folder*
    $ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
      ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
     |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
     | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
     | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
     |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
       ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
      / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
     | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
     | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
      \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
    [PROC] Arguments parsed.
    [PROC] Package list imported....  ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
    Traceback (most recent call last):
      File "combobulator/src/combobulator.py", line 195, in <module>
        main()
      File "combobulator/src/combobulator.py", line 173, in main
        metapkg(x, args.package_type)
      File "combobulator/src/metapackage.py", line 7, in __init__
        if len(pkgname.split(':')) == 2:
    AttributeError: 'dict_keys' object has no attribute 'split'
    
    $ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
      ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
     |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
     | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
     | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
     |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
       ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
      / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
     | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
     | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
      \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
    [PROC] Arguments parsed.
    [ERROR]  Selected package type doesn't support import scan.
    
    $ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
      ____  _____ ____  _____ _   _ ____  _____ _   _  ______   __
     |  _ \| ____|  _ \| ____| \ | |  _ \| ____| \ | |/ ___\ \ / /
     | | | |  _| | |_) |  _| |  \| | | | |  _| |  \| | |    \ V / 
     | |_| | |___|  __/| |___| |\  | |_| | |___| |\  | |___  | |  
     |____/|_____|_|   |_____|_| \_|____/|_____|_| \_|\____| |_|  
       ____ ____  __  __ ____   ____  ____  _   _ _        _  _____ ____  ____  
      / ___/ /\ \|  \/  | __ ) / /\ \| __ )| | | | |      / \|_   _/ /\ \|  _ \ 
     | |  / /  \ \ |\/| |  _ \/ /  \ \  _ \| | | | |     / _ \ | |/ /  \ \ |_) |
     | |__\ \  / / |  | | |_) \ \  / / |_) | |_| | |___ / ___ \| |\ \  / /  _ < 
      \____\_\/_/|_|  |_|____/ \_\/_/|____/ \___/|_____/_/   \_\_| \_\/_/|_| \_
    [PROC] Arguments parsed.
    [PROC] Package list imported....  ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
    [PROC] Maven checker engaged.
    [ANALYSIS] Package:  spring-boot-starter-web   is present on public provider.
    [ANALYSIS] Package:  tomcat-embed-jasper   is present on public provider.
    [ANALYSIS] Package:  jstl   is present on public provider.
    [ANALYSIS] Package:  spring-jdbc   is present on public provider.
    [ANALYSIS] Package:  h2   is present on public provider.
    

    summary:

    Only java scan are stable. Please, fix it. Also, please, update a readme.md

    triage 
    opened by sv-atoslav 0
  • Introduce a keyword list to mark internal only package scheme

    Introduce a keyword list to mark internal only package scheme

    For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only. That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo

    cc @rotemreiss

    enhancement 
    opened by moshe-apiiro 0
Releases(v1.0.0-rc1)
Owner
Apiiro
Apiiro
A brute force tool for password-protected zip file

Bzip A brute force tool for password-protected zip file/folder(s). Note that this tool can only crack .zip files. Please DO not misuse. Installation g

3 Nov 13, 2021
Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

RedTeam Toolkit Note: Only legal activities should be conducted with this project. Red Team Toolkit is an Open-Source Django Offensive Web-App contain

Mohammadreza Sarayloo 382 Jan 01, 2023
Click-Jack - Automatic tool to find Clickjacking Vulnerability in various Web applications

CLICK-Jack It is a automatic tool to find Clickjacking Vulnerability in various

Prince Prafull 4 Jan 10, 2022
BF-Hash - A Python Tool to decrypt hashes by brute force

BF-Hash Herramienta para descifrar hashes por fuerza bruta Instalación git clone

5 Apr 09, 2022
A simple python script for hosting a Snowflake Proxy in your python program or with it's standalone cli

snowflake-cli Snowflake is a system to defeat internet censorship, made by Tor Project. The system works by volunteers who run the snowflake extension

Guilherme Paixão 6 Jul 14, 2022
Utility for Extracting all passwords from ConnectWise Automate

CWA Password Extractor Utility for Extracting all passwords from ConnectWise Automate (E.g. while migrating to a new system). Outputs a csv file with

Matthew Kyles 1 Dec 09, 2021
a cool, easily usable and customisable subdomains scanner

Subdah 🔎 another subdomains scanner. Installation ⚠️ Python 3.10 required ⚠️ $ git clone https://github.com/traumatism/subdah $ cd subdah $ pip3 inst

toast 14 Oct 18, 2022
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

39 Dec 16, 2022
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022
A small Python Script To get all levels of subdomains from a list

getlevels A small Python Script To get all levels of subdomains Easily get 1st level, 2nd level, 3rd level, 4th level .... nth level subdomains Usag

9 Feb 15, 2022
the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

Taroballz 14 Nov 09, 2022
Cobalt Strike Beacon configuration extractor and parser.

Cobalt Strike Configuration Extractor and Parser Overview Pure Python library and set of scripts to extract and parse configurations (configs) from Co

Stroz Friedberg 102 Dec 18, 2022
Time Discretization-Invariant Safe Action Repetition for Policy Gradient Methods

Time Discretization-Invariant Safe Action Repetition for Policy Gradient Methods This repository is the official implementation of Seohong Park, Jaeky

Seohong Park 6 Aug 02, 2022
FOSSLight Scanner performs open source analysis after downloading the source by passing a link that can be cloned by wget or git.

FOSSLight Scanner Analyze at once for Open Source Compliance. FOSSLight Scanner performs open source analysis after downloading the source by passing

FOSSLight 8 Nov 03, 2022
Aiminsun 165 Dec 21, 2022
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell) usage: python ProxyLogon.py --host=exchang

112 Dec 01, 2022
Using python 3 and Flask an MVC system where the AES 128 CBC and Trivium algorithms

This project was developed using python 3 and Flask, it is an MVC system where the AES 128 CBC and Trivium algorithms can be tested through a communication between the computer and a device such as a

Brandon Israel Camacho Reyes 1 Dec 26, 2021
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

27 Sep 23, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 04, 2021
Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains.

Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains. File Structure core/ colors.py db/ wordlist.txt REA

whoami security 4 Jul 02, 2022