Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/schibsted/artishock

A tool to investigate Dependency Confusion in Artifactory
https://github.com/schibsted/artishock

artifactory confusion-detection dependency-confusion npm pypi

Last synced: 2 months ago
JSON representation

A tool to investigate Dependency Confusion in Artifactory

Host: GitHub
URL: https://github.com/schibsted/artishock
Owner: schibsted
License: apache-2.0
Created: 2021-03-04T14:40:24.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2023-03-17T07:56:34.000Z (almost 2 years ago)
Last Synced: 2024-05-01T12:24:06.559Z (9 months ago)
Topics: artifactory, confusion-detection, dependency-confusion, npm, pypi
Language: Java
Homepage:
Size: 225 KB
Stars: 23
Watchers: 14
Forks: 2
Open Issues: 2
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

![](src/main/logo/artishock.svg)
# Artishock
A tool to investigate Dependency Confusion in Artifactory. See our [blog post](https://schibsted.com/blog/dependency-confusion-how-we-protected-ourselves/) for more information.

## Install
Binaries for Linux, Mac and Windows can be found under [releases](https://github.com/schibsted/artishock/releases) (Windows is not tested).

Unzip `artishock-{linux,mac,win}.zip`, then run `artishock-{linux,mac,win}/bin/artishock`.

**For macOs**: `bin/artishock` and `bin/java` are not signed so they must be allowed to run.

## Configure
Create `~/.artishock/artishock.config` with the following
```
{
"artifactoryUrl": "https://example.com/artifactory/",
"artifactoryUsername": "[email protected]",
"artifactoryPassword": ""
}
```

You can also set these as environment variables:
```
export ARTISHOCK_ARTIFACTORY_URL=
export ARTISHOCK_ARTIFACTORY_USERNAME=
export ARTISHOCK_ARTIFACTORY_PASSWORD=
```

## Run

**Please note that some Artishock commands will look up your internal package names upstream.** These require the `--query-upstream` flag. If you do not want to disclose your internal names don't use those commands.

Some requests will be cached to `~/.artishock/cache/`. Each request is cached for 7 days. The cache directory can be deleted to clear the cache.
```
artishock
artishock repo-ls --help
artishock repo-ls --json
```

## Examples

### NPM
```
artishock repo-ls --package-system npm
artishock exclude-candidates --package-system npm --local npm-local
artishock not-claimed --package-system npm --local npm-local --query-upstream
artishock cached --package-system npm --local npm-local --remote npm-remote
artishock inferred-exclude --package-system npm --local npm-local --remote npm-remote --query-upstream
artishock package-stats --package-system npm --repo npm-local --package @example/package
```

### PyPi
```
artishock repo-ls --package-system pypi
artishock exclude-candidates --package-system pypi --local pypi-local
artishock not-claimed --package-system pypi --local pypi-local --query-upstream
artishock cached --package-system pypi --local pypi-local --remote pypi-remote
artishock inferred-exclude --package-system pypi --local pypi-local --remote pypi-remote --query-upstream
```

### Maven
This is a slow command that iterates over the whole repo to gather download stats
```
artishock repo-stats --package-system maven --repo small-remote-cache
```

## Debugging
Use `--verbose` for verbose output and `--stacktrace` to get the full stack trace rather than just the message.

## Developer notes
*Prerequisite: [OpenJDK 17](https://adoptium.net/)*

Generate runtime images `build/image/artishock-{linux,mac,win}/`
```
./gradlew runtime
```

On Linux run the program with
```
build/image/artishock-linux/bin/artishock
```

Make release files `/build/artishoc-{linux,mac,win}.zip`
```
./gradlew runtimeZip
```