DepConfuse is a command-line tool that proactively detects dependency confusion vulnerabilities. It scans SBOMs or PURLs to identify internal package names that could be subject to public package takeover, providing actionable insights to secure your software supply chain.
- SBOM-First Approach: Built on CycloneDX SBOMs, DepConfuse detects dependency confusion risks across ecosystems, offering broader and more precise coverage than tools limited to individual package managers.
- Multi-Registry Support: Supports 20+ package registries. It covers npm, PyPI, Maven, NuGet, Docker Hub, Go modules, Ruby gems and more.
- PURL Analysis: Directly analyzes a list of Package URLs (PURLs) from a text file.
- Flexible Input Modes: Accepts both CycloneDX SBOMs (--sbom) and plain PURL lists (--file).
- Ecosystems.ms Integration: Provides real-time, namespace-aware checks across multiple ecosystems via a unified API.
- Clone the Repository:
git clone https://github.com/th3-j0k3r/DepConfuse.git
- Navigate to the Directory:
cd DepConfuse - Build the Executable:
go build -o depconfuse
DepConfuse can be used in two modes:
./depconfuse --sbom /path/to/sbom.json --output results.txt
./depconfuse --file /path/to/purls.txt --output results.txt
This project uses the following open-source projects: