Money Trees provides a more secure way to interact with private and public package repositories using CodeArtifact, it also provides an enforcible process to handle code changes in private repositories and a dashboard that provides actionable intel, where the developers can focus on deploying a fix when the dashboard highlights packages that are vulnerable.
Software based dependency based attacks have been rising as one of the most damaging cyber attacks impacting business in this current time. This project created by Enron2 tries to mitigate some of the risks related to dependency based attacks by preventing basic attack vectors such as dependency confusion, and also provides a clear and visible view of how dependencies are being used.
Install all dependencies, use node 14.18.1
$ npm installRun the setup script ./setup.sh to deploy the application. Fill in the prompts when requested, for more info read the deployment documentation here.
- First an npmjs account has to be created and a free organisation needs to be created.
- This organisation now serves as the scope/namespace and nobody can create a public package with the name
@<chosen namespace during setup>/<package-name>except the owner of the npmjs account. - This project can then be setup with the created organisation.
- You then create a new GitHub repository and initiate a new package under it by running:
$ npm init --scope=<chosen namespace during setup>- Once the new package is ready to be used, a
git pushor merge to main uploads the@<chosen namespace during setup>/<package-name>to the private repository of CodeArtifact. - You then have to sign into CodeArtifact with the following command
$ aws codeartifact login --tool npm --domain <company> --repository base-<company> --namespace <scope>- Now any
npm install @<chosen namespace during setup>/<package-name>will consider the private repository for CodeArtifact and install that latest version. - During the setup script there will be a link to access the dashboard for the project
- The dashboard will then display all the packages and projects associated with the orgnisation created earlier
- You can then select the report vulnerability to report a vulnerability into the database that can then be viewed in the dashboard
Team 2 (Enron 2)
Mentor: Brian Farnhill & Elisa Han
Tutor: Tim Thacker
Members:
Razin Idzuddin
William Tremain
Fiona O'Chee
Lachlan Waugh
Steven Phung
Andrew Xie
Click on the links below to learn more about each individual component and how it functions in the project