You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Money Trees provides a more secure way to interact with private and public package repositories using CodeArtifact, it also provides an enforcible process to handle code changes in private repositories and a dashboard that provides actionable intel, where the developers can focus on deploying a fix when the dashboard highlights packages that are vulnerable.
Software based dependency based attacks have been rising as one of the most damaging cyber attacks impacting business in this current time. This project created by Enron2 tries to mitigate some of the risks related to dependency based attacks by preventing basic attack vectors such as dependency confusion, and also provides a clear and visible view of how dependencies are being used.
Demo
Installation
Install all dependencies, use node 14.18.1
$ npm install
Deployment
Run the setup script ./setup.sh to deploy the application. Fill in the prompts when requested, for more info read the deployment documentation here.
Usage
First an npmjs account has to be created and a free organisation needs to be created.
This organisation now serves as the scope/namespace and nobody can create a public package with the name @<chosen namespace during setup>/<package-name> except the owner of the npmjs account.
This project can then be setup with the created organisation.
You then create a new GitHub repository and initiate a new package under it by running:
$ npm init --scope=<chosen namespace during setup>
Once the new package is ready to be used, a git push or merge to main uploads the @<chosen namespace during setup>/<package-name> to the private repository of CodeArtifact.
You then have to sign into CodeArtifact with the following command
Now any npm install @<chosen namespace during setup>/<package-name> will consider the private repository for CodeArtifact and install that latest version.
During the setup script there will be a link to access the dashboard for the project
The dashboard will then display all the packages and projects associated with the orgnisation created earlier
You can then select the report vulnerability to report a vulnerability into the database that can then be viewed in the dashboard
Team
Team 2 (Enron 2)
Mentor: Brian Farnhill & Elisa Han
Tutor: Tim Thacker
Members:
Razin Idzuddin
William Tremain
Fiona O'Chee
Lachlan Waugh
Steven Phung
Andrew Xie
Components
Click on the links below to learn more about each individual component and how it functions in the project
