DepConfuse: SBOM-First Detection for Dependency Confusion
🔗 GitHub: https://github.com/th3-j0k3r/DepConfuse
Introduction
Dependency confusion attacks continue to be a significant risk in software supply chains. They occur when an internal package name or namespace is not claimed by the company in a public registry, allowing a malicious package to be published under the same name. While many companies attempt to secure their software supply chains, this type of vulnerability often goes unnoticed until it causes damage.
Current Challenges
Most existing tools for detecting dependency confusion are built for specific ecosystems and depend on files like lockfiles. They work well for a single language, but in an organization with a multi-language ecosystem, detection becomes challenging and often requires multiple tools.
Solution: DepConfuse
DepConfuse takes a fundamentally different approach by leveraging SBOMs. Instead of parsing source code or lockfiles, it analyzes CycloneDX SBOMs and uses PURL metadata to identify potentially vulnerable internal packages.
Why SBOMs Matter
SBOMs list all components, libraries, and dependencies in a standard format, making them the backbone of software composition analysis. By using SBOMs, DepConfuse can work across different ecosystems, scale to hundreds of applications, and integrate seamlessly into CI/CD pipelines or security tools.
How DepConfuse Works
DepConfuse parses CycloneDX SBOMs or text files containing PURLs, extracting package information including type, namespace, and name. It then queries the ecosyste.ms API to check whether the packages exist in public registries. If a package is not found, it indicates a potential dependency confusion vulnerability where an attacker could register a malicious package with the same name. The tool supports over 20 package ecosystems, including npm, PyPI, and Maven, providing comprehensive coverage across modern software supply chains.
Do try out DepConfuse and contribute ideas or PRs.
🔗 GitHub: https://github.com/th3-j0k3r/DepConfuse