Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@stoplight/graph
Advanced tools
Graph is a PoC for what will be the key piece of tech at Stoplight to analyze projects, extract and normalize relevant structured data, and query that data in memory.
Currently, the focus is on OAS2, OAS3 specifications and, although it's not a top priority, GraphQL might be the next supported format.
To date, many components in Stoplight have been dealing with API specification formats in different ways:
Prism, the mock server, is directly dealing with the source file of the only supported format so far (OAS2)
The Studio POC has an internal Graph
library that's parsing an OpenAPI file and
decomposing into a series of nodes that are then enriched with UI-specific elements (such as
css classes, components to render, Icon providers)
The Platform Designer is directly dealing with source files, and laying form widgets/ui on top of them.
All the various components in Stoplight have different opinions on the level of detail of a particular part of the document, as well as different way to deal with it. There's a lot of repeated code, as well as some unique parts depending on the piece of software dealing with the specification in particular.
Each node has three identifiers
id
- locally unique identifier. Any two nodes withing one graph instance WILL have distinct id
. Some nodes that belong to two different graph instances MAY have different id
.graphId
- globally unique identifier. Any two nodes representing the same entity in a graph's hierarchy will have identical graphId
, even if they belong to different graphs. graphId
is applicable to both Virtual Nodes
and Physical Nodes
absolutePath
- globally unique identifier that co-locating a node with a particular part of the file that node originates from. Similar to graphId
but only applicable to Physical Nodes
Physical Node
- nodes that originate directly from a file and represent a portion of the file's content. E.g. it can be a nested element in a json file.Virtual Node
- nodes that have no physical representation in a file, but were most likely derived from a Physical Node
. A good example of such node is the IHttpOperation
node.Physical Node
's parent can only be of Physical Node
typehook
and a nodeType
As we want to support more API Specification formats, it is clear that the current solution wouldn't have scaled. That's what Graph (temporary name) aims to solve by providing:
The final API is still being defined/polished. However this is the current one
Listens of any node of type directory
and recursively walks the directory, adding all the files that encounters on the
way. It produces a node representing the root tree with a series of directory
nodes with file
leafes.
Listes for any node with content/type yaml|yml
and parses the content using an internal parser. Returns an
IParseResult
object that looks like this:
{
data: {},
pointers: {},
validations: [],
};
Listes for any node of with content/type json
and parses the content using an internal parser. Returns an
IParseResult
object that looks like this:
{
data: {},
pointers: {},
validations: [],
};
Listens for any PARSED
node and will expand the graph with a series of nodes that's the result of the document
decomposition, representing the various parts.
The Graph has been designed to be expandible by default. Actually the graph itself can't really do anything, most of the features are provided by external plugins.
A plugin is a container of hooks
and loaders
. Let's explore these concepts:
An hook intercepts various parts of the graph's life and gives the possibility to react with actions. Each hook will
need to specify a selector
function — where you basically ask to be notified only for certain node types. Once such
test pass, your "event handlers" will be called for such nodes. (The reason why there are quotes is because they're not
really event handlers.)
selector?: (node: INodeInstance) => boolean; // Return true to express your interest in this kind of node
onWillCreateNode?: (node: Partial<Output>) => void; // The node is going to be added in the graph
onDidCreateNode?: (parent: Parent, opts: IGraphHookApi<Input, Output, Parent>) => Promise<any>; // The node has just been added in the graph
The HookApi
provides some limited actions you can perform on the graph:
{
createNode: (node: Input, opts?: { parent?: Parent }) => Promise<Output>;
createEdge: (source: INodeInstance, destination: INodeInstance) => void;
getNodeById: (id: string) => INodeInstance | undefined;
}
This is a PoC — we haven't come up with the right API and data format yet.
feature/{name}
, chore/{name}
, or fix/{name}
branch.yarn
.yarn test.prod
.yarn commit
. NOTE: Commits that don't follow the conventional format will be rejected. yarn commit
creates this format for you, or you can put it together manually and then do a regular git commit
.git push
.develop
branch.FAQs
Nodes'n Things.
The npm package @stoplight/graph receives a total of 0 weekly downloads. As such, @stoplight/graph popularity was classified as not popular.
We found that @stoplight/graph demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.