Nexus Repository Manager dependency/namespace confusion Checker Task script
This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependency Confusion Attack
npm-hosted has packages published with the @firstname.lastname@example.org npm-proxy has a package called @email@example.com
This would be a match.
- NXRM3 OSS or PRO
Step 1: Customise values in repo-diff.groovy
You'll need to modify the script to include
- Repositories to compare in repositories. e.g. to compare ruby and npm hosted to their proxies
def repositories = [:] //repositories["hosted"] = "proxy" repositories["ruby-hosted"] = "ruby-proxy" repositories["npm-hosted"] = "npm-group-proxy"
Step 2: Create new Task in NXRM3 OSS or PRO
- Login as Administrator
- Navigate to https://repo.invenium.io/#admin/system/tasks
- Create a new Task "Admin - Execute script task"
- TaskName: Dependency Confusion Checker
- Notification email: firstname.lastname@example.org
- Send notification on: Failure
- Paste groovy script
- Choose a Task frequency
If your mail settings are configured correctly you should now receive an email if a possible dependency/namespace confusion occured.