{"id":13410420,"url":"https://github.com/visma-prodsec/confused","last_synced_at":"2025-05-16T06:04:36.595Z","repository":{"id":37312010,"uuid":"337669904","full_name":"visma-prodsec/confused","owner":"visma-prodsec","description":"Tool to check for dependency confusion vulnerabilities in multiple package management systems","archived":false,"fork":false,"pushed_at":"2024-08-19T18:22:25.000Z","size":45,"stargazers_count":717,"open_issues_count":16,"forks_count":97,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-05-09T15:52:56.437Z","etag":null,"topics":["confusion-detection","infosec","java","javascript","maven","namespaces","npm","php","pypi","python"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/visma-prodsec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-10T09:06:56.000Z","updated_at":"2025-05-08T12:01:27.000Z","dependencies_parsed_at":"2024-06-18T20:05:36.805Z","dependency_job_id":"81427591-da73-42d7-a723-d12ee0728f12","html_url":"https://github.com/visma-prodsec/confused","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visma-prodsec%2Fconfused","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visma-prodsec%2Fconfused/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visma-prodsec%2Fconfused/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visma-prodsec%2Fconfused/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/visma-prodsec","download_url":"https://codeload.github.com/visma-prodsec/confused/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254478186,"owners_count":22077675,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["confusion-detection","infosec","java","javascript","maven","namespaces","npm","php","pypi","python"],"created_at":"2024-07-30T20:01:06.771Z","updated_at":"2025-05-16T06:04:36.575Z","avatar_url":"https://github.com/visma-prodsec.png","language":"Go","funding_links":[],"categories":["Go","Vulnerabilities and Security Advisories","Weapons"],"sub_categories":["Tools"],"readme":"# Confused\n\nA tool for checking for lingering free namespaces for private package names referenced in dependency configuration\nfor Python (pypi) `requirements.txt`, JavaScript (npm) `package.json`, PHP (composer) `composer.json` or MVN (maven) `pom.xml`.\n\n## What is this all about?\n\nOn 9th of February 2021, a security researcher Alex Birsan [published an article](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)\nthat touched different resolve order flaws in dependency management tools present in multiple programming language ecosystems.\n\nMicrosoft [released a whitepaper](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)\ndescribing ways to mitigate the impact, while the root cause still remains.\n\n## Interpreting the tool output\n\n`confused` simply reads through a dependency definition file of an application and checks the public package repositories\nfor each dependency entry in that file. It will proceed to report all the package names that are not found in the public\nrepositories - a state that implies that a package might be vulnerable to this kind of attack, while this vector has not\nyet been exploited.\n\nThis however doesn't mean that an application isn't already being actively exploited. If you know your software is using\nprivate package repositories, you should ensure that the namespaces for your private packages have been claimed by a\ntrusted party (typically yourself or your company).\n\n### Known false positives\n\nSome packaging ecosystems like npm have a concept called \"scopes\" that can be either private or public. In short it means\na namespace that has an upper level - the scope. The scopes are not inherently visible publicly, which means that `confused`\ncannot reliably detect if it has been claimed. If your application uses scoped package names, you should ensure that a\ntrusted party has claimed the scope name in the public repositories.\n\n## Installation\n\n- [Download](https://github.com/visma-prodsec/confused/releases/latest) a prebuilt binary from [releases page](https://github.com/visma-prodsec/confused/releases/latest), unpack and run!\n\n  _or_\n- If you have recent go compiler installed: `go get -u github.com/visma-prodsec/confused` (the same command works for updating)\n\n  _or_\n- git clone https://github.com/visma-prodsec/confused ; cd confused ; go get ; go build\n\n## Usage\n```\nUsage:\n confused [-l LANGUAGENAME] depfilename.ext\n\nUsage of confused:\n  -l string\n        Package repository system. Possible values: \"pip\", \"npm\", \"composer\", \"mvn\", \"rubygems\" (default \"npm\")\n  -s string\n        Comma-separated list of known-secure namespaces. Supports wildcards\n  -v    Verbose output\n\n```\n\n## Example\n\n### Python (PyPI)\n```\n./confused -l pip requirements.txt\n\nIssues found, the following packages are not available in public package repositories:\n [!] internal_package1\n\n```\n\n### JavaScript (npm)\n```\n./confused -l npm package.json\n\nIssues found, the following packages are not available in public package repositories:\n [!] internal_package1\n [!] @mycompany/internal_package1\n [!] @mycompany/internal_package2\n\n# Example when @mycompany private scope has been registered in npm, using -s\n./confused -l npm -s '@mycompany/*' package.json\n\nIssues found, the following packages are not available in public package repositories:\n [!] internal_package1\n```\n\n### Maven (mvn)\n```\n./confused -l mvn pom.xml\n\nIssues found, the following packages are not available in public package repositories:\n [!] internal\n [!] internal/package1\n [!] internal/_package2\n\n```\n\n### Ruby (rubygems)\n```\n./confused -l rubygems Gemfile.lock\n\nIssues found, the following packages are not available in public package repositories:\n [!] internal\n [!] internal/package1\n [!] internal/_package2\n \n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvisma-prodsec%2Fconfused","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvisma-prodsec%2Fconfused","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvisma-prodsec%2Fconfused/lists"}