#!/bin/bash # Supply Chain & Dependency Security (black-box perspective) # Checks for exposed dependency manifests, version disclosure, build artifacts SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../config.sh" OUT="$OUT/supply_chain" mkdir -p "$OUT" echo '=== SUPPLY CHAIN & DEPENDENCY SECURITY ===' | tee "$OUT/summary.txt" BROWSER="$BROWSER_UA" # ── 1. Exposed Dependency Manifests ───────────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Exposed Dependency Files ---' | tee -a "$OUT/summary.txt" MANIFESTS=( "/package.json" "/package-lock.json" "/yarn.lock" "/pnpm-lock.yaml" "/composer.json" "/composer.lock" "/requirements.txt" "/Pipfile" "/Pipfile.lock" "/poetry.lock" "/Gemfile" "/Gemfile.lock" "/go.mod" "/go.sum" "/Cargo.toml" "/Cargo.lock" "/pom.xml" "/build.gradle" "/build.gradle.kts" "/vendor/" "/node_modules/" "/bower_components/" "/.npmrc" "/.yarnrc" "/pyproject.toml" ) for path in "${MANIFESTS[@]}"; do resp=$(curl -sk -o "$OUT/manifest_check.tmp" -w '%{http_code}' --max-time 8 -A "$BROWSER" "$TARGET$path") if [ "$resp" = "200" ]; then size=$(wc -c < "$OUT/manifest_check.tmp") echo " [!!!] EXPOSED: $path ($size bytes)" | tee -a "$OUT/summary.txt" head -3 "$OUT/manifest_check.tmp" | tee -a "$OUT/summary.txt" else echo " [PASS] $path → $resp" fi done # ── 2. Version Disclosure via Headers & Responses ──────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Version Disclosure in Headers ---' | tee -a "$OUT/summary.txt" headers=$(curl -sk -I --max-time 10 -A "$BROWSER" "$TARGET/") echo "$headers" | grep -iE 'Server:|X-Powered-By:|X-Generator:|X-Runtime:|X-Version:|X-App-Version:' | tee -a "$OUT/summary.txt" echo "$headers" | grep -iE 'Server:|X-Powered-By:' | grep -qi '\d\.\d' && \ echo " [WARN] Version number in header" || echo " [PASS] No version in Server/X-Powered-By" | tee -a "$OUT/summary.txt" echo '' | tee -a "$OUT/summary.txt" echo '--- Version Disclosure in API Responses ---' | tee -a "$OUT/summary.txt" resp_body=$(curl -sk --max-time 8 -A "$BROWSER" "$API_TARGET/health") echo "$resp_body" | python3 -c " import sys, json try: d = json.load(sys.stdin) keys = ['version','build','commit','sha','tag','release','runtime','framework','dependencies'] found = {k: d.get(k) for k in keys if k in d} if found: print(' [WARN] Version fields in /health response:', found) else: print(' [PASS] No sensitive version fields in /health') except: print(' [INFO] /health not JSON or unavailable') " | tee -a "$OUT/summary.txt" # ── 3. Source Map Exposure (JS source leakage) ─────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- JavaScript Source Map Exposure ---' | tee -a "$OUT/summary.txt" # Get main page, extract JS files, check for .map URLs js_files=$(curl -sk --max-time 10 -A "$BROWSER" "$TARGET/" | grep -oP 'src="[^"]*\.js[^"]*"' | sed 's/src="//;s/"//' | head -10) found_map=0 for jsf in $js_files; do [[ "$jsf" == http* ]] || jsf="$TARGET$jsf" mapurl="${jsf%.js}.js.map" resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$mapurl") if [ "$resp" = "200" ]; then echo " [!!!] Source map EXPOSED: $mapurl" | tee -a "$OUT/summary.txt" found_map=1 fi done [ "$found_map" -eq 0 ] && echo " [PASS] No exposed source maps found" | tee -a "$OUT/summary.txt" # ── 4. Build Artifact & CI/CD Exposure ─────────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Build Artifacts & CI/CD Files ---' | tee -a "$OUT/summary.txt" BUILD_PATHS=( "/.github/workflows/" "/.github/actions/" "/.gitlab-ci.yml" "/Dockerfile" "/docker-compose.yml" "/docker-compose.prod.yml" "/.dockerignore" "/Makefile" "/Taskfile.yml" "/deploy.sh" "/release.sh" "/ci.sh" "/.travis.yml" "/Jenkinsfile" "/bitbucket-pipelines.yml" "/dist/" "/build/" "/target/" "/.env.example" "/.env.template" ) for path in "${BUILD_PATHS[@]}"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 -A "$BROWSER" "$TARGET$path") [ "$resp" = "200" ] && echo " [!!!] EXPOSED: $path ($resp)" || echo " [PASS] $path → $resp" | tee -a "$OUT/summary.txt" done # ── 5. Dependency Confusion Attack Surface ──────────────────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Internal Package Names (dependency confusion check) ---' | tee -a "$OUT/summary.txt" # Pull package names from any exposed manifests and check if they exist on public npm pkg_json=$(curl -sk --max-time 8 -A "$BROWSER" "$TARGET/package.json" 2>/dev/null) if echo "$pkg_json" | python3 -c "import sys,json; json.load(sys.stdin)" 2>/dev/null; then echo "$pkg_json" | python3 -c " import sys, json d = json.load(sys.stdin) deps = {**d.get('dependencies',{}), **d.get('devDependencies',{})} internal = [k for k in deps if not k.startswith('@') and '-internal' in k or 'private' in k or k.startswith('pq')] print(' Internal/private package names found:', internal if internal else 'none') " | tee -a "$OUT/summary.txt" else echo " [PASS] package.json not accessible — dependency confusion surface not exposed" | tee -a "$OUT/summary.txt" fi # ── 6. Subresource Integrity (SRI) on External Scripts ─────────────────────── echo '' | tee -a "$OUT/summary.txt" echo '--- Subresource Integrity (SRI) Check ---' | tee -a "$OUT/summary.txt" page=$(curl -sk --max-time 10 -A "$BROWSER" "$TARGET/") external_no_sri=$(echo "$page" | grep -oP ']*src="https?://(?!'"$(echo $TARGET | sed 's|https://||')"')[^"]*"[^>]*>' | grep -v 'integrity=') if [ -n "$external_no_sri" ]; then echo " [WARN] External scripts WITHOUT SRI:" | tee -a "$OUT/summary.txt" echo "$external_no_sri" | head -5 | tee -a "$OUT/summary.txt" else echo " [PASS] All external scripts have SRI or are self-hosted" | tee -a "$OUT/summary.txt" fi cat "$OUT/summary.txt"