Skip to content

A program to help identify and remediate dependency based attacks, and dependency confusion.

License

Notifications You must be signed in to change notification settings

lachlan-waugh/depends

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Enron logo

codecov Commitizen friendly

What is this?

Money Trees provides a more secure way to interact with private and public package repositories using CodeArtifact, it also provides an enforcible process to handle code changes in private repositories and a dashboard that provides actionable intel, where the developers can focus on deploying a fix when the dashboard highlights packages that are vulnerable.

frontend pic

Table of contents

Background

Software based dependency based attacks have been rising as one of the most damaging cyber attacks impacting business in this current time. This project created by Enron2 tries to mitigate some of the risks related to dependency based attacks by preventing basic attack vectors such as dependency confusion, and also provides a clear and visible view of how dependencies are being used.

Demo

Watch the video

Installation

Install all dependencies, use node 14.18.1

$ npm install

Deployment

Run the setup script ./setup.sh to deploy the application. Fill in the prompts when requested, for more info read the deployment documentation here.

Usage

  • First an npmjs account has to be created and a free organisation needs to be created.
  • This organisation now serves as the scope/namespace and nobody can create a public package with the name @<chosen namespace during setup>/<package-name> except the owner of the npmjs account.
  • This project can then be setup with the created organisation.
  • You then create a new GitHub repository and initiate a new package under it by running:
$ npm init --scope=<chosen namespace during setup>
  • Once the new package is ready to be used, a git push or merge to main uploads the @<chosen namespace during setup>/<package-name> to the private repository of CodeArtifact.
  • You then have to sign into CodeArtifact with the following command
$ aws codeartifact login --tool npm --domain <company> --repository base-<company> --namespace <scope>
  • Now any npm install @<chosen namespace during setup>/<package-name> will consider the private repository for CodeArtifact and install that latest version.
  • During the setup script there will be a link to access the dashboard for the project
  • The dashboard will then display all the packages and projects associated with the orgnisation created earlier
  • You can then select the report vulnerability to report a vulnerability into the database that can then be viewed in the dashboard

Team

Team 2 (Enron 2)
Mentor: Brian Farnhill & Elisa Han
Tutor: Tim Thacker

Members:
Razin Idzuddin
William Tremain
Fiona O'Chee
Lachlan Waugh
Steven Phung
Andrew Xie

Components

Click on the links below to learn more about each individual component and how it functions in the project

About

A program to help identify and remediate dependency based attacks, and dependency confusion.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 77.6%
  • CSS 19.1%
  • JavaScript 1.7%
  • Shell 1.4%
  • Other 0.2%