Tools to reduce the risk of dependency confusion
Hello everyone! Some time ago, I published a post with useful links related to dependency confusion. Now, I've decided to share additional information in a second post.
This post includes tools that you can utilize to detect this vulnerability and safeguard your repositories. I believe this information will be beneficial for application security experts and pentesters, saving them countless hours searching for these tools. I've collected these tools from various blogs and GitHub repositories.
So, rest assured, this post goes beyond merely testing how big tables will look on my blog template
It's packed with valuable tools and insights to enhance your security practices. Enjoy!
CI-CD Tools
I’ve distinguished these tools because you have the option to implement them into your CI/CD workflow, while also being able to use them manually.
Tool name | Link | Package managers |
---|---|---|
Dependency Combobulator | https://github.com/apiiro/combobulator | Npm, NuGet, Maven |
DustiLock | https://github.com/Checkmarx/dustilock | Npm, PyPi |
Manual testing
On the contrary, these tools are labeled for manual testing (I mean, you need to start it manually from console); however, I’m confident that you can also try to integrate them into the CI/CD pipeline.
Tool name | Link | Package managers |
---|---|---|
Confused | https://github.com/visma-prodsec/confused | Pip, Npm, Composer, Mvm, Rubygems |
Artishock | https://github.com/schibsted/artishock | Npm, PyPi, Maven, ? |
Snync | https://github.com/snyk-labs/snync | Npm |
ConfusedDotnet | https://github.com/visma-prodsec/ConfusedDotnet | Nuget |
Redesigned-carnival | https://github.com/frasertweedale/redesigned-carnival | Cabal |
Yorkshire | https://github.com/DataDog/yorkshire | Python package managers |
DAST
Additionally, I came across the JS Miner plugin for Burp Suite. This plugin can be quite useful when testing applications using the DAST approach.