
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@csaf-poc/csaf-webview
Advanced tools
<!-- This file is Free Software under the Apache-2.0 License without warranty, see README.md and LICENSES/Apache-2.0.txt for details.
A browser based web app (module) to:
Note: As of 2023-12-14 all but one server do not allow web applications to read the CSAF information directly. So you will get failures due to CORS restrictions often. See https://github.com/oasis-tcs/csaf/issues/653 for more details.
A backend can act as a proxy to avoid the problems caused by
CSAF Providers missing Access-Control-Allow-Origin: * headers.
The envisoned usage is to be integrated in a larger application.
Therefore, csaf_webview is kept simple and stylable.
[!NOTE] If you have tried or considered using this component please contact us and explain your use cases.
Please also let us know in case you are using webview and the reasons for its selection.
Open an issue in this repo or send us an email, e.g. to @bernhardreiter.
Background: Initially this web component was used in ISDuBA and the plan was to keep it external and by doing so, develop a more universal component to display CSAF files.
During ISDuBA's development we've changed the approach, integrated a copy of the code and made it ISDuBA specific instead. Putting the focus on the needs of ISDuBA first helped to understand more about what this real CSAF-handling application needed from a viewing component. Mainly a deeper integration with the handled use cases. It is hard to display CSAF documents well; which means fast and navigable that users will find the information they want easily. Depending on their tasks, users profit from tayloring the viewing experience.
Being ISDuBA specific means, we cannot easily rip out the viewing component there and make it an external module again. We could do a much better one now, but if other applications would need a deeper integration as well anyway, they may or may not profit that much.
Which leaves us with the questions:
Thus we would like to hear from you about how close this component gets to what you need to support displaying CSAF documents on the web and what you would need from it. This helps us planning the maintenance.

Displaying a single document
Displaying a ROLIE-Feed
The deployment via github pages is a demo and thus may not reflect the current state of the source repository.
git clone https://github.com/csaf-poc/csaf_webview.git
cd into app directorycd csaf_webview
Install current LTS version of NodeJS, e.g. see https://github.com/nodesource/distributions/blob/master/README.md . Upgrade to the latest version of npm if you can. Development has been started with Node v20 and npm 10.2.1
npm install
npx playwright install
Optionally add -- --open to directly open a browser.
npm run dev -- --open
dropzone.npm run test:unit
npm run test:integration
npm run coverage
npm run build:ghpage
npm run deploy
In order to configure a proxy server use vite.config.js.
The default configuration is:
...
server: {
proxy: {
"/proxy/": {
target: "https://wid.cert-bund.de/",
changeOrigin: true,
rewrite: (path) => path.replace(/^\/proxy/, "")
}
}
},
...
For more information look here.
Change target to the URL to be proxied.
csaf_webview is licensed as Free Software under Apache-2.0 License.
See the specific source files
for details, the licenses itself can be found in the directory LICENSES/.
The resulting webpage contains third party Free Software components under
licenses that to our best knowledge are compatible at time of adding
the dependency. See package.json for details.
FAQs
<!-- This file is Free Software under the Apache-2.0 License without warranty, see README.md and LICENSES/Apache-2.0.txt for details.
The npm package @csaf-poc/csaf-webview receives a total of 5 weekly downloads. As such, @csaf-poc/csaf-webview popularity was classified as not popular.
We found that @csaf-poc/csaf-webview demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.