Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@commerce-apps/raml-toolkit
Advanced tools
A collection of raml tools for commerce cloud and beyond
npm install -g @commerce-apps/raml-toolkit
The npm installs the binaries as both raml-toolkit
and ramlint
and they can be used interchangeably. You can always run with --help
to get available options, currently the options are as follows.
Note: Some commands require environment variables to be set. This can be done using a .env file in your working directory (the directory from which you run raml-toolkit
).
raml-toolkit diff BASE NEW
Compute the difference between two API specifications
USAGE
$ raml-toolkit diff BASE NEW
ARGUMENTS
BASE The base API spec file (ruleset / diff-only mode) or directory
NEW The new API spec file (ruleset / diff-only mode) or directory
OPTIONS
-f, --format=(json|console) Format of the output. Defaults to JSON if --out-file is specified,
otherwise text.
-o, --out-file=out-file File to store the computed difference
-r, --ruleset=ruleset [default:@commerce-apps/raml-toolkit/resources/diff/rules/defaultRules
] Path to ruleset to apply to diff
--diff-only Only show differences without evaluating a ruleset
--dir Find the differences for files in two directory trees and applies
default ruleset
--log-level=trace|debug|info|warn|error|silent [default: info] Set the level of detail in the output
DESCRIPTION
This command has three modes: ruleset, diff-only, and directory.
- Ruleset mode (default) compares two files and applies a ruleset to determine if any changes are breaking.
- Diff-only mode compares two files to determine if there are any differences, without applying a ruleset.
- Directory mode finds all exchange.json files in two directories recursively and compares all the spec files
described in them. Applies the default ruleset.
In ruleset and diff-only mode, the arguments must be API specification (RAML) files.
In directory mode, the arguments must be directories that contain exchange.json files.
Exit statuses:
0 - No breaking changes (ruleset mode) or no differences (diff-only / directory)
1 - Breaking changes (ruleset mode) or differences found (diff only / directory)
2 - Evaluation could not be completed
raml-toolkit download
Download API specification files from Anypoint Exchange
USAGE
$ raml-toolkit download
OPTIONS
-D, --deployment=deployment [default: .] Deployment status to filter results from Anypoint
Exchange
-d, --dest=dest [default: apis] Directory to download APIs into
-s, --search=search Search query to filter results from Anypoint Exchange
--deployment-regex-flags=deployment-regex-flags RegExp flags to specify for advanced deployment matching
--log-level=trace|debug|info|warn|error|silent [default: info] Set the level of detail in the output
raml-toolkit lint [FILENAME]
A linting tool for raml for Commerce Cloud and beyond
USAGE
$ raml-toolkit lint [FILENAME]
ARGUMENTS
FILENAME One or more RAML files to lint
OPTIONS
-p, --profile=(mercury|slas) (required) Profile to apply
-w, --warnings Show all the warnings
--log-level=trace|debug|info|warn|error|silent [default: info] Set the level of detail in the output
For additional information on the diff
command, see these resources:
In your Jenkinsfile, init npm and then it's a simple one line command
stage('Init') {
// Needed only for SFCI instances to add npm to the instance
npmInit()
}
stage('Whatever') {
sh "npx raml-toolkit lint --profile mercury file1.raml file2.raml etc.raml"
}
NOTE: Violations will return a non-zero exit code and fail the build, which warnings will still return a 0 exit code so the build will not fail with warnings
To check your RAML currently the CLI just takes a list of files
$ ramlint lint --profile mercury file.raml
# or
$ ramlint lint --profile mercury file1.raml file2.raml etc.raml
The response will look something like
Model: file://data-products-api-v1.raml
Profile: mercury
Conforms? false
Number of results: 2
Level: Violation
- Source: http://a.ml/vocabularies/data#require-api-description
Message: The API Description must be set
Level: Violation
Target: file://data-products-api-v1.raml#/web-api
Property: http://schema.org/description
Position: Some(LexicalInformation([(2,0)-(1885,0)]))
Location: file://data-products-api-v1.raml
- Source: http://a.ml/vocabularies/data#version-format
Message: The version must be formatted as v[Major], for example v2
Level: Violation
Target: file://data-products-api-v1.raml#/web-api
Property: http://schema.org/version
Position: Some(LexicalInformation([(3,9)-(3,11)]))
Location: file://data-products-api-v1.raml
› Error: ./data-products-api-v1.raml is invalid
Let us look more closely at each of these errors.
The first error is saying that the API description is not set, but we need to have it set according to our standards. There is a "Position:" field in the response, but it is saying 2-1885. This happens to be the entire RAML document. Ranges like this will be common for "Missing" components since the parser doesn't know where you want to put it, but knows you need to put it somewhere.
The second error, however, is because it exists, but doesn't match our standard. There you can see that the position leads you to the exact line number and column of the non-conforming component.
When there are no more violations, the output will say it conforms, but also provide you with some warnings you might want to fix as well.
This package also contains the code formerly published under @commerce-apps/exchange-connector
. There are no breaking changes between the last version of @commerce-apps/exchange-connector
and v0.3.0 of this package. For changes since then, see the changelog.
The default profile validates the following rules from the Mercury API Definition of Done
title
MUST be set and not be emptyprotocols
MUST be HTTPSversion
MUST be set and follow the pattern /v[0-9]+/mediaType
default of application/jsondescription
MUST be set and not be emptydescription
MUST not include the word TODOdisplayName
setdisplayName
MUST be in camelCasedescription
field setdescription
MUST NOT contain the word TODOqueryParameters
MUST be camelCasedescription
description
MUST NOT contain the word TODObaseUri
baseUri
must match the pattern - https://{shortCode}.api.commercecloud.salesforce.com/<api-family>/<api-name>/{version}
displayName
must be unique across an APIYou can read all about our contribution model here!
Here is an AMF validation example from Mulesoft. This includes some custom rules you can use for reference when building rules.
FAQs
A collection of raml tools for commerce cloud and beyond
We found that @commerce-apps/raml-toolkit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.