Supply Chain Shield: How DepConfuse Proactively Stops Dependency Confusion Attacks

DepConfuse is a command-line tool that proactively detects dependency confusion vulnerabilities. It scans SBOMs or PURLs to identify internal package names that could be subject to public package takeover, providing actionable insights to secure your software supply chain.

Features

• SBOM-First Approach: Built on CycloneDX SBOMs, DepConfuse detects dependency confusion risks across ecosystems, offering broader and more precise coverage than tools limited to individual package managers.
• Multi-Registry Support: Supports 20+ package registries. It covers npm, PyPI, Maven, NuGet, Docker Hub, Go modules, Ruby gems and more.
• PURL Analysis: Directly analyzes a list of Package URLs (PURLs) from a text file.
• Flexible Input Modes: Accepts both CycloneDX SBOMs (–sbom) and plain PURL lists (–file).
• Ecosystems.ms Integration: Provides real-time, namespace-aware checks across multiple ecosystems via a unified API.

Installation

1. Clone the Repository:

   git clone https://github.com/th3-j0k3r/DepConfuse.git

2. Navigate to the Directory:

   cd DepConfuse

3. Build the Executable:

   go build -o depconfuse

Use

DepConfuse can be used in two modes:

./depconfuse –sbom /path/to/sbom.json –output results.txt

./depconfuse –file /path/to/purls.txt –output results.txt

Source: https://github.com/th3-j0k3r/

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy