This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependecy Confusion Attack
For example
npm-hosted has packages published with the @mycompany/[email protected]
npm-proxy has a package called @mycompany/[email protected]
This would be a match.
- Python3
- NXRM3 OSS or PRO
You'll need to modify the script to include
- Auth creds or tokens from your NXRM3.
- URL to your Nexus
- Repositories to compare in REPOS. e.g. to compare ruby and npm hosted to their proxies
REPOS = {
# hosted: proxy
"ruby-hosted": "ruby-proxy",
"npm-hosted": "npm-group-proxy"
}
You'll find examples of all in the script.
python3 -m venv my-venv
Do this in your terminal or by using your favorite IDE
my-venv\Scripts\activate.bat
source my-venv/bin/activate
pip install -r requirements.txt
To run the script simply type - results will be printed out to stdout and can be piped to a file for later use.
python3 repo-diff.py