Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

verida-tech-demos

Package Overview
Dependencies
Maintainers
0
Versions
6
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

verida-tech-demos

A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python (pypi) `requirements.txt`, JavaScript (npm) `package.json`, PHP (composer) `composer.json` or MVN (maven) `pom.xml`.

  • 1.0.1
  • unpublished
  • npm
  • Socket score

Version published
Weekly downloads
1
Maintainers
0
Weekly downloads
 
Created
Source

Confused

A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python (pypi) requirements.txt, JavaScript (npm) package.json, PHP (composer) composer.json or MVN (maven) pom.xml.

What is this all about?

On 9th of February 2021, a security researcher Alex Birsan published an article that touched different resolve order flaws in dependency management tools present in multiple programming language ecosystems.

Microsoft released a whitepaper describing ways to mitigate the impact, while the root cause still remains.

Interpreting the tool output

confused simply reads through a dependency definition file of an application and checks the public package repositories for each dependency entry in that file. It will proceed to report all the package names that are not found in the public repositories - a state that implies that a package might be vulnerable to this kind of attack, while this vector has not yet been exploited.

This however doesn't mean that an application isn't already being actively exploited. If you know your software is using private package repositories, you should ensure that the namespaces for your private packages have been claimed by a trusted party (typically yourself or your company).

Known false positives

Some packaging ecosystems like npm have a concept called "scopes" that can be either private or public. In short it means a namespace that has an upper level - the scope. The scopes are not inherently visible publicly, which means that confused cannot reliably detect if it has been claimed. If your application uses scoped package names, you should ensure that a trusted party has claimed the scope name in the public repositories.

Installation

  • Download a prebuilt binary from releases page, unpack and run!

    or

  • If you have recent go compiler installed: go get -u github.com/visma-prodsec/confused (the same command works for updating)

    or

  • git clone https://github.com/visma-prodsec/confused ; cd confused ; go get ; go build

Usage

Usage:
 confused [-l LANGUAGENAME] depfilename.ext

Usage of confused:
  -l string
        Package repository system. Possible values: "pip", "npm", "composer", "mvn", "rubygems" (default "npm")
  -s string
        Comma-separated list of known-secure namespaces. Supports wildcards
  -v    Verbose output

Example

Python (PyPI)

./confused -l pip requirements.txt

Issues found, the following packages are not available in public package repositories:
 [!] internal_package1

JavaScript (npm)

./confused -l npm package.json

Issues found, the following packages are not available in public package repositories:
 [!] internal_package1
 [!] @mycompany/internal_package1
 [!] @mycompany/internal_package2

# Example when @mycompany private scope has been registered in npm, using -s
./confused -l npm -s '@mycompany/*' package.json

Issues found, the following packages are not available in public package repositories:
 [!] internal_package1

Maven (mvn)

./confused -l mvn pom.xml

Issues found, the following packages are not available in public package repositories:
 [!] internal
 [!] internal/package1
 [!] internal/_package2

Ruby (rubygems)

./confused -l rubygems Gemfile.lock

Issues found, the following packages are not available in public package repositories:
 [!] internal
 [!] internal/package1
 [!] internal/_package2
 

FAQs

Package last updated on 02 Oct 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc