
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@secvisogram/csaf-validator-service
Advanced tools
This is a service to validate documents against the CSAF standard. It uses the csaf-validator-lib under the hood which is included as a git subtree module.
To run the validator service you basically need the same as for developing.
npm run distNODE_ENV to productionlocal-production.json file in
backend/config. All available parameters are outlined in backend/config/development.json. See https://www.npmjs.com/package/config for more information on how to configure using different techniques such as environment variables.node backend/server.jsTo manage the process you can use Docker or an init system of your choice.
You most likely also want to run this behind a reverse proxy to handle TLS termination or CORS headers if the service is accessed from other domains. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS for more information.
The documentation is available as a swagger resource provided by the service itself under /docs. So once the server is running, visit http://localhost:<config port>/docs in your browser. The default port of the application 8082. See configuration to learn about ways to change it.
The project uses the config npm package for configuration. It provides a variety of possibilities to inject configuration values e.g. environment variables or environment specific files.
Fastify CORS options can be configured by passing an options object by the name cors
The following options are available:
origin, methods, allowedHeaders, exposedHeaders, credentials, maxAge
See Fastify CORS options for more information
You need at least Node.js version 20 or higher. Nodesource provides binary distributions for various Linux distributions.
npm ci
Start the server
npm run dev
The server needs to be running and the openapi-generator-cli must be installed. The file backend/lib/app.js needs to reflect the target version. Then, you can use the following commands to generate the documentation:
openapi-generator-cli generate -i http://localhost:8082/docs/json -g html -o ./documents/generated/html/
openapi-generator-cli generate -i http://localhost:8082/docs/json -g asciidoc -o ./documents/generated/asciidoc/
To create a new version use npm's version command and make sure that your server is not running (since this command will start it).
Many tests are integration tests which need a running server. So make sure to start it before running the tests:
npm run dev
Tests are implemented using mocha. They can be run using the following command:
npm test
Build docker image
docker build -t csaf/validator-service .
Start container
docker run -d -p 8082:8082 --name csaf-validator-service csaf/validator-service
If you want to start the service with pm2 you have to adjust the instance_var attribute for pm2.
You can do this by adding the following configuration in the backend folder.
Depending on the directory you chose, you have to adjust the cwd and NODE_CONFIG_DIR attributes accordingly.
// pm2.config.cjs
module.exports = {
apps: [
{
name: 'csaf-validator-service',
script: './server.js',
cwd: '/var/www/csaf-validator-service/backend',
instance_var: 'INSTANCE_ID',
env: {
NODE_ENV: 'development',
NODE_CONFIG_DIR: '/var/www/csaf-validator-service/backend/config/',
},
env_production: {
NODE_ENV: 'production',
NODE_CONFIG_DIR: '/var/www/csaf-validator-service/backend/config/',
},
},
],
}
To start the service execute this command inside the backend directory:
pm2 start pm2.config.js --env production
You can find our guidelines here CONTRIBUTING.md
For the complete list of dependencies please take a look at package.json
FAQs
<!-- TOC depthfrom:2 depthto:3 -->
We found that @secvisogram/csaf-validator-service demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.