Nexus Repository Manager dependency/namespace confusion checker
This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependency Confusion Attack
For example
npm-hosted has packages published with the @mycompany/[email protected]
npm-proxy has a package called @mycompany/[email protected]
This would be a match.
Requirements
- Python3
- NXRM3 OSS or PRO
Instructions
Step 1: Customise values in repo-diff.py
You'll need to modify the script to include
- Auth creds or tokens from your NXRM3.
- URL to your Nexus
- Repositories to compare in REPOS. e.g. to compare ruby and npm hosted to their proxies
REPOS = {
# hosted: proxy
"ruby-hosted": "ruby-proxy",
"npm-hosted": "npm-group-proxy"
}
You'll find examples of all in the script.
Step 2: Create new virtual environment
python3 -m venv my-venv
Step 3: Activate your virtual environment
Do this in your terminal or by using your favorite IDE
Windows
my-venv\Scripts\activate.bat
MacOs *NIX Linux
source my-venv/bin/activate
Step 4: Install dependencies
pip install -r requirements.txt
Step 5: Run script
To run the script simply type - results will be printed out to stdout and can be piped to a file for later use.
python3 repo-diff.py
1.2k Dec 29, 2022
1 Jan 28, 2022
613 Dec 25, 2022
62 Dec 28, 2022
1 Dec 20, 2021
1 Jan 26, 2022
3.6k Dec 30, 2022
3 Oct 25, 2022
23 Apr 30, 2022
1 Oct 30, 2021
11 Nov 12, 2022
1 Nov 30, 2021
288 Jan 01, 2023
1 Nov 29, 2021
108 Dec 29, 2022
4 Jun 19, 2022
249 Dec 23, 2022
14 Jan 17, 2022
325 Jan 08, 2023
83 Dec 16, 2022