Dependency confusion scanner

This small repo is meant to scan Github's repositories for potential Dependency confusion vulnerabilities.

It scans for packages in:

• Nuget
  • *.csproj
  • packages.config
• Maven
  • *pom.xml
  • build.gradle
• Packagist
  • composer.lock
  • composer.json
• Pypi
  • requirements.txt
• NPM
  • package-lock.json
  • package.json

How it works

Simply fetches the relevant files for each package manager, parse it, and check if the package exists publicly. Additionally, it will warn if a detected public package includes 999 or 9.9.9 in the package version (for already exploited dependency confusion)

setup

Create a github_access_token file and add you Github's api token to it (this way it could also have access to private repos).

run

In order to run the script simply state an organization and scan all the repos in it (with option to exclude_repos)

    scanner = OrganizationScanner("SonarSource")
    scanner.scan_all_repos()

Or scan a specific repo

    scanner = OrganizationScanner()
    scanner.scan_repo("ndleah/python-mini-project")