Nexus Repository Manager dependency/namespace confusion checker

This repository contains a script to check if you have artifacts containing the same name between your repositories. This can be used to check if you're affected by a Dependency Confusion Attack

For example

npm-hosted has packages published with the @mycompany/artifact@2.0.1
npm-proxy has a package called @mycompany/artifact@10.0.1

This would be a match.

Requirements

• Python3
• NXRM3 OSS or PRO

‼ - Nexus Firewall with NXRM3 now has a feature for Dependency confusion protection. See help.sonatype.com for more information or contact Sonatype.

‼ - Large registries with NX3 might cause an orient error. If you run into this contact your Sonatype CS for help

• NXRM2 OSS or PRO

‼ - DO NOT RUN THIS IF YOU ARE USING SLOW STORAGE SUCH AS NFS TO BACK NEXUS. It may cause your NX2 to slow down and become unresponsive. We recommend upgrading to nx3 as a primary first step.

Instructions

Step 1: Customise values in repo-diff.py (NXRM3) or repo-diff-nxrm2.py (NXRM2)

You'll need to modify the script to include

1. Auth creds or tokens from your NXRM. (USER and TOKEN)
2. URL to your Nexus (REPO_HOSTNAME)
3. Repositories to compare in REPOS. e.g. to compare ruby and npm hosted to their proxies

REPOS = {
    # hosted: proxy
    "ruby-hosted": "ruby-proxy",
    "npm-hosted": "npm-group-proxy"
}

You'll find examples of all in the script.

Step 2: Create new virtual environment

python3 -m venv my-venv

Step 3: Activate your virtual environment

Do this in your terminal or by using your favorite IDE

Windows

my-venv\Scripts\activate.bat

MacOs *NIX Linux

source my-venv/bin/activate

Step 4: Install dependencies

pip install -r requirements.txt

Step 5: Run script

To run the script simply type - results will be printed out to stdout and can be piped to a file for later use.

 python3 repo-diff.py