The Dependency Combobulator
A modular and extensible open source toolkit to detect and prevent dependency confusion attacks.
The Dependency Combobulator is an open source, modular, and extensible toolkit to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach to ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., ndm, maven).
Who should use it?
The toolkit can be used by security auditors, pentesters, and can even be baked into an enterprise's application security program and release cycle in an automated fashion.
What is a dependency confusion attack?
Dependency confusion compromises the open source software (OSS) ecosystem by tricking end users, developers, and automation systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.
Pluggable - interject on commit, build, or release steps in the SDLC
Expandable - easily add your own package management scheme or code source of choice
General-Purpose Heuristic Engine - an abstract package data model provides an agnostic heuristic approach
Supports a wide range of technologies
Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit
How does it work?
Apiiro’s Dependency Combobulator enables a holistic approach to analyze and automate release workflows that can be evaluated against different sources such as GitHub Packages and can be extended to consider additional registries such as JFrog Artifactory. Unlike existing solutions, Apiiro’s Dependency Combobulator, aimed to be used by the AppSec practitioner, is a python-based toolkit that supports both the npm and maven package management schemes out-of-the-box, as well as enabling easy extension into other package management systems. It provides improved extensibility that enables organizations to quickly adapt to new types of dependency attacks.
Apiiro secures your Software Development Lifecycle. The Apiiro Code Risk Platform enables you to remediate critical risks such
as design flaws, misconfigurations, vulnerabilities, compliance violations & supply-chain attacks to accelerate software delivery to the cloud. www.apiiro.com