apiiro / combobulator Goto Github PK
View Code? Open in Web Editor NEWDependency Combobulator
License: Apache License 2.0
Dependency Combobulator
License: Apache License 2.0
System and Python versions
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
$ python3 --version
Python 3.10.4
Installation: (steps for reproduce)
$ git clone https://github.com/apiiro/combobulator
Cloning into 'combobulator'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (72/72), done.
remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
Resolving deltas: 100% (34/34), done.
$ cd combobulator/
$ virtualenv venv
created virtual environment CPython3.10.4.final.0-64 in 419ms
$ source venv/bin/activate
$ pip install -r requirements.txt
Collecting requests==2.12.1
Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
Collecting gql==2.0.0
Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
Collecting python-dotenv==0.19.2
Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
Collecting six>=1.10.0
Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting promise<3,>=2.3
Using cached promise-2.3-py3-none-any.whl
Collecting graphql-core<3,>=2.3.2
Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
Collecting rx<2,>=1.6
Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
$ combobulator --help
combobulator: command not found
I can't run combobulator directly, I must search python file for this.
$ find ../combobulator/ -iname combobulato*
../combobulator/
../combobulator/src/combobulator.py
$ python src/combobulator.py --help
Traceback (most recent call last):
File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
import urllib3
ModuleNotFoundError: No module named 'urllib3'
module urllib3
used, but missed at reqirements. So i install it manually
$ pip install urllib3
Successfully installed urllib3-1.26.9
try launch script again
$ python src/combobulator.py --help
Traceback (most recent call last):
File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
import registry.npm as npm
File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
import requests
File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
from . import utils
File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
from .cookies import RequestsCookieJar, cookiejar_from_dict
File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
AttributeError: module 'collections' has no attribute 'MutableMapping'
requirements.txt specifies a pinned version of requests as a dependency
requests==2.11.1
however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests
requests<3,>=2.12 ![dependency conflict example](https://user-images.githubusercontent.com/47631344/148214910-fb884a6d-d9e4-4e6a-a971-3b7b0d198d5c.png)
For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only.
That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo
cc @rotemreiss
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
$ python3 --version
Python 3.10.4
$ cd ~/Downloads
$ git clone https://github.com/clarkio/vulnerable-app.git
Cloning into 'vulnerable-app'...
[...]
Resolving deltas: 100% (237/237), done.
$ git clone https://github.com/stamparm/DSVW.git
Cloning into 'DSVW'...
[...]
Resolving deltas: 100% (68/68), done.
$ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
Cloning into 'VulnerableJavaWebApplication'...
[...]
Resolving deltas: 100% (66/66), done.
$ cd *path_to_combobulator_folder*
$ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
____ _____ ____ _____ _ _ ____ _____ _ _ ______ __
| _ \| ____| _ \| ____| \ | | _ \| ____| \ | |/ ___\ \ / /
| | | | _| | |_) | _| | \| | | | | _| | \| | | \ V /
| |_| | |___| __/| |___| |\ | |_| | |___| |\ | |___ | |
|____/|_____|_| |_____|_| \_|____/|_____|_| \_|\____| |_|
____ ____ __ __ ____ ____ ____ _ _ _ _ _____ ____ ____
/ ___/ /\ \| \/ | __ ) / /\ \| __ )| | | | | / \|_ _/ /\ \| _ \
| | / / \ \ |\/| | _ \/ / \ \ _ \| | | | | / _ \ | |/ / \ \ |_) |
| |__\ \ / / | | | |_) \ \ / / |_) | |_| | |___ / ___ \| |\ \ / / _ <
\____\_\/_/|_| |_|____/ \_\/_/|____/ \___/|_____/_/ \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported.... ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
Traceback (most recent call last):
File "combobulator/src/combobulator.py", line 195, in <module>
main()
File "combobulator/src/combobulator.py", line 173, in main
metapkg(x, args.package_type)
File "combobulator/src/metapackage.py", line 7, in __init__
if len(pkgname.split(':')) == 2:
AttributeError: 'dict_keys' object has no attribute 'split'
$ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
____ _____ ____ _____ _ _ ____ _____ _ _ ______ __
| _ \| ____| _ \| ____| \ | | _ \| ____| \ | |/ ___\ \ / /
| | | | _| | |_) | _| | \| | | | | _| | \| | | \ V /
| |_| | |___| __/| |___| |\ | |_| | |___| |\ | |___ | |
|____/|_____|_| |_____|_| \_|____/|_____|_| \_|\____| |_|
____ ____ __ __ ____ ____ ____ _ _ _ _ _____ ____ ____
/ ___/ /\ \| \/ | __ ) / /\ \| __ )| | | | | / \|_ _/ /\ \| _ \
| | / / \ \ |\/| | _ \/ / \ \ _ \| | | | | / _ \ | |/ / \ \ |_) |
| |__\ \ / / | | | |_) \ \ / / |_) | |_| | |___ / ___ \| |\ \ / / _ <
\____\_\/_/|_| |_|____/ \_\/_/|____/ \___/|_____/_/ \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[ERROR] Selected package type doesn't support import scan.
$ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
____ _____ ____ _____ _ _ ____ _____ _ _ ______ __
| _ \| ____| _ \| ____| \ | | _ \| ____| \ | |/ ___\ \ / /
| | | | _| | |_) | _| | \| | | | | _| | \| | | \ V /
| |_| | |___| __/| |___| |\ | |_| | |___| |\ | |___ | |
|____/|_____|_| |_____|_| \_|____/|_____|_| \_|\____| |_|
____ ____ __ __ ____ ____ ____ _ _ _ _ _____ ____ ____
/ ___/ /\ \| \/ | __ ) / /\ \| __ )| | | | | / \|_ _/ /\ \| _ \
| | / / \ \ |\/| | _ \/ / \ \ _ \| | | | | / _ \ | |/ / \ \ |_) |
| |__\ \ / / | | | |_) \ \ / / |_) | |_| | |___ / ___ \| |\ \ / / _ <
\____\_\/_/|_| |_|____/ \_\/_/|____/ \___/|_____/_/ \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported.... ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
[PROC] Maven checker engaged.
[ANALYSIS] Package: spring-boot-starter-web is present on public provider.
[ANALYSIS] Package: tomcat-embed-jasper is present on public provider.
[ANALYSIS] Package: jstl is present on public provider.
[ANALYSIS] Package: spring-jdbc is present on public provider.
[ANALYSIS] Package: h2 is present on public provider.
Only java scan are stable. Please, fix it. Also, please, update a readme.md
poop@spaceship:~/git/combobulator/src
04:29 PM (main=) $ python3 ./combobulator.py --help
Traceback (most recent call last):
File "/.../combobulator/src/./combobulator.py", line 3, in <module>
from dotenv import load_dotenv
ModuleNotFoundError: No module named 'dotenv'
ref #19
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.