Tools to reduce the risk of dependency confusion

Tools to reduce the risk of dependency confusion

Hello everyone! Some time ago, I published a post with useful links related to dependency confusion. Now, I've decided to share additional information in a second post.

This post includes tools that you can utilize to detect this vulnerability and safeguard your repositories. I believe this information will be beneficial for application security experts and pentesters, saving them countless hours searching for these tools. I've collected these tools from various blogs and GitHub repositories.

So, rest assured, this post goes beyond merely testing how big tables will look on my blog template :smiley:

It's packed with valuable tools and insights to enhance your security practices. Enjoy!

CI-CD Tools

I’ve distinguished these tools because you have the option to implement them into your CI/CD workflow, while also being able to use them manually.

Tool name Link Package managers
Dependency Combobulator https://github.com/apiiro/combobulator Npm, NuGet, Maven
DustiLock https://github.com/Checkmarx/dustilock Npm, PyPi

Manual testing

On the contrary, these tools are labeled for manual testing (I mean, you need to start it manually from console); however, I’m confident that you can also try to integrate them into the CI/CD pipeline.

Tool name Link Package managers
Confused https://github.com/visma-prodsec/confused Pip, Npm, Composer, Mvm, Rubygems
Artishock https://github.com/schibsted/artishock Npm, PyPi, Maven, ?
Snync https://github.com/snyk-labs/snync Npm
ConfusedDotnet https://github.com/visma-prodsec/ConfusedDotnet Nuget
Redesigned-carnival https://github.com/frasertweedale/redesigned-carnival Cabal
Yorkshire https://github.com/DataDog/yorkshire Python package managers

DAST

Additionally, I came across the JS Miner plugin for Burp Suite. This plugin can be quite useful when testing applications using the DAST approach.