Skip to content

Compare the contents of your hosted and proxy repositories for coordinate collisions

Notifications You must be signed in to change notification settings

sonatype-nexus-community/repo-diff

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Nexus Repository Manager dependency/namespace confusion checker

This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependency Confusion Attack

For example

npm-hosted has packages published with the @mycompany/[email protected]
npm-proxy has a package called @mycompany/[email protected]

This would be a match.

Requirements

  • Python3
  • NXRM3 OSS or PRO

‼ - Nexus Firewall with NXRM3 now has a feature for Dependency confusion protection. See help.sonatype.com for more information or contact Sonatype.

‼ - Large registries with NX3 might cause an orient error. If you run into this contact your Sonatype CS for help

  • NXRM2 OSS or PRO

‼ - DO NOT RUN THIS IF YOU ARE USING SLOW STORAGE SUCH AS NFS TO BACK NEXUS. It may cause your NX2 to slow down and become unresponsive. We recommend upgrading to nx3 as a primary first step.

Instructions

Step 1: Customise values in repo-diff.py (NXRM3) or repo-diff-nxrm2.py (NXRM2)

You'll need to modify the script to include

  1. Auth creds or tokens from your NXRM. (USER and TOKEN)
  2. URL to your Nexus (REPO_HOSTNAME)
  3. Repositories to compare in REPOS. e.g. to compare ruby and npm hosted to their proxies
REPOS = {
    # hosted: proxy
    "ruby-hosted": "ruby-proxy",
    "npm-hosted": "npm-group-proxy"
}

You'll find examples of all in the script.

Step 2: Create new virtual environment

python3 -m venv my-venv

Step 3: Activate your virtual environment

Do this in your terminal or by using your favorite IDE

Windows

my-venv\Scripts\activate.bat

MacOs *NIX Linux

source my-venv/bin/activate

Step 4: Install dependencies

pip install -r requirements.txt

Step 5: Run script

To run the script simply type - results will be printed out to stdout and can be piped to a file for later use.

 python3 repo-diff.py

About

Compare the contents of your hosted and proxy repositories for coordinate collisions

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages