This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependency Confusion Attack
For example
npm-hosted has packages published with the @mycompany/artifact@2.0.1
npm-proxy has a package called @mycompany/artifact@10.0.1
This would be a match.
- NXRM3 OSS or PRO
You'll need to modify the script to include
- Repositories to compare in repositories. e.g. to compare ruby and npm hosted to their proxies
def repositories = [:]
//repositories["hosted"] = "proxy"
repositories["ruby-hosted"] = "ruby-proxy"
repositories["npm-hosted"] = "npm-group-proxy"
- Login as Administrator
- Navigate to https://repo.invenium.io/#admin/system/tasks
- Create a new Task "Admin - Execute script task"
- TaskName: Dependency Confusion Checker
- Notification email: you@yourdomain.com
- Send notification on: Failure
- Paste groovy script
- Choose a Task frequency
- Save
If your mail settings are configured correctly you should now receive an email if a possible dependency/namespace confusion occured.