Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sonatype-nexus-community/repo-diff
Compare the contents of your hosted and proxy repositories for coordinate collisions
https://github.com/sonatype-nexus-community/repo-diff
Last synced: 6 days ago
JSON representation
Compare the contents of your hosted and proxy repositories for coordinate collisions
- Host: GitHub
- URL: https://github.com/sonatype-nexus-community/repo-diff
- Owner: sonatype-nexus-community
- Created: 2021-02-08T20:27:59.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2021-05-25T14:03:41.000Z (over 3 years ago)
- Last Synced: 2024-08-02T07:11:45.654Z (3 months ago)
- Language: Python
- Size: 25.4 KB
- Stars: 60
- Watchers: 16
- Forks: 8
- Open Issues: 1
-
Metadata Files:
- Readme: README.MD
Awesome Lists containing this project
- awesome-cybersecurity-blueteam - Confusion checker - Script to check if you have artifacts containing the same name between your repositories. (DevSecOps / Dependency confusion)
README
# Nexus Repository Manager dependency/namespace confusion checker
This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a [Dependency Confusion Attack](https://blog.sonatype.com/dependency-hijacking-software-supply-chain-attack-hits-more-than-35-organizations)For example
````
npm-hosted has packages published with the @mycompany/[email protected]
npm-proxy has a package called @mycompany/[email protected]
````This would be a match.
## Requirements
* Python3
* NXRM3 OSS or PRO‼ - Nexus Firewall with NXRM3 now has a feature for Dependency confusion protection. See help.sonatype.com for more information or contact Sonatype.
‼ - Large registries with NX3 might cause an orient error.
If you run into this contact your Sonatype CS for help* NXRM2 OSS or PRO
‼ - DO NOT RUN THIS IF YOU ARE USING SLOW STORAGE SUCH AS NFS TO BACK NEXUS.
It may cause your NX2 to slow down and become unresponsive. We recommend upgrading to nx3 as a primary first step.## Instructions
### Step 1: Customise values in repo-diff.py (NXRM3) or repo-diff-nxrm2.py (NXRM2)
You'll need to modify the script to include
1. Auth creds or tokens from your NXRM. (`USER` and `TOKEN`)
1. URL to your Nexus (`REPO_HOSTNAME`)
1. Repositories to compare in `REPOS`. e.g. to compare ruby and npm hosted to their proxies```python
REPOS = {
# hosted: proxy
"ruby-hosted": "ruby-proxy",
"npm-hosted": "npm-group-proxy"
}
```
You'll find examples of all in the script.### Step 2: Create new virtual environment
```python
python3 -m venv my-venv
```
### Step 3: Activate your virtual environment
Do this in your terminal or by using your favorite IDE
#### Windows
```
my-venv\Scripts\activate.bat
```#### MacOs *NIX Linux
```bash
source my-venv/bin/activate
```### Step 4: Install dependencies
```python
pip install -r requirements.txt
```### Step 5: Run script
To run the script simply type - results will be printed out to stdout and can be piped to a file for later use.
```python
python3 repo-diff.py
````