mackowski
commented
3 years ago Hey @righettod good idea. Do you want to add it?
Open righettod opened 3 years ago
mackowski
commented
3 years ago Hey @righettod good idea. Do you want to add it?
jmanico
commented
3 years ago Hello Dominique! This cheatsheet would definitely benefit from an update. We should probably discussing at least 2 different types of /Dependency Confusion/ attacks such as (1) Typosquatting and (2) Squatting on names of future package versions of packages that no longer exist.
We would be thrilled if you have time to add a section on this material! I also encourage your students to send us PR's when they see any mistakes!
Aloha, Jim
jmanico
commented
3 years ago I'm eager to see this work done
righettod
commented
3 years ago Hello @jmanico and @mackowski
Thanks a lot for the feedback about this proposal.
Unfortunately, i'm very busy on the MSTG and OSHP projects so it will not be possible for me to work on this task.
I apologize again a lot for my decline.
Thanks again for your work on this amazing project 💯
nekosoft
commented
1 year ago Hey @righettod @jmanico - I have some independent study time where I'll be focusing on dependency management in the next couple of weeks - I can pick this up (and of course if anybody else wants to collaborate/help!). I have a lot of resources that would be of use to this section.
mackowski
commented
1 year ago Awesome! @nekosoft I will assign this issue to you and feel free to create a PR for this! We will help, do not worry :)
mackowski
commented
1 year ago @nekosoft and you still interested to make a small PR?
What is missing or needs to be updated?
I have found this post about Dependency Confusion attack and I think that it can be interesting to add a section about protection against this attack in the Vulnerable Dependency Management Cheat Sheet.
How should this be resolved?
I propose to add a small section showing some protection that can applied.
Thanks a lot in advance and also thanks a lot for your amazing work on this project ❤️