Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
A graph knowledge base implemented in neo4j.
Read the docs here. Refer to test/ for usage.
Improvement is still underway, so it will be continuously updated.
npm i --save neo4jkb
Ensure that you have neo4j
installed. From the terminal do neo4j start
, change your password (if you haven't already) using curl -H "Content-Type: application/json" -X POST -d '{"password":"YOUR_NEW_PASSWORD"}' -u neo4j:neo4j http://localhost:7474/user/neo4j/password
. You can go to http://localhost:7474/
for the browser GUI.
Use the neo4j-shell
, files will be saved to ${NEO4J_HOME}
:
Export:
export-graphml -o backup.graphml -t -r
Import:
import-graphml -i backup.graphml -t
// import and initialize
var KB = require('neo4jkb')({ NEO4J_AUTH: 'neo4j:neo4j' })
// node label
var labelNode = 'test',
// nodes A, B
propA = KB.cons.legalize({ name: 'A', hash_by: 'name' }),
propB = KB.cons.legalize({ name: 'B', hash_by: 'name' }),
// edge label
labelEdge = 'test_next',
// edge E from (a)-[e]->(b)
propE = cons.legalize({ name: 'E', hash_by: 'name' }),
// build the nodes
function buildNodes() {
return new Promise(function(resolve, reject) {
KB.addNode(
[[A.propA, A.labelNode]],
[[A.propB, A.labelNode]]
)
// .then(A.log)
.then(resolve)
.catch(reject)
})
}
// build the edges
function buildEdges() {
return new Promise(function(resolve, reject) {
KB.addEdge(
// A -> B
[[A.propA], [A.propE, A.labelEdge], [A.propB]]
)
// .then(A.log)
.then(resolve)
.catch(reject)
})
}
// build the graph: first clear the test, then buildNodes, buildEdges
function buildGraph() {
return new Promise(function(resolve, reject) {
buildNodes()
.then(buildEdges)
.then(resolve)
.catch(reject)
})
}
buildGraph()
// A simple graph is built. Go to localhost:7474 to query and see it.
To run the test, clone this repo, make sure you set the environment variable NEO4J_AUTH=<username>:<password>
(or just save an .env
if you like), then run npm test
.
Install the neo4j-shell-tools
for db migration; use export-graphml -o backup.graphml -t -r
and import-graphml -i backup.graphml -t
from within neo4j-shell
. Files will be saved to ${NEO4J_HOME}
.
We use a graph knowledge base (KB) to encode generic knowledge and relationships. The implementation is through a graph database - we choose Neo4j for the purpose. A graph consists of individual nodes connected with edges.
node
:Labels
- an array of strings.prop
- a flat JSON.edge
:Label
.prop
- a flat JSON.all nodes and edges must have the following fields in their prop
:
hash_by
: the field used to hash this node. e.g. name.hash
: the actual hash string, e.g. "document1".updated_by
: The hash-string of the prop
's creator.updated_when
: The timestamp of when the author updated the prop
. Same format as Date.now()
.created_by
: The hash-string of the prop
's updator. Doesn't show in constrain.js
but is built in to KB_builder.js
.created_when
: The timestamp of when the author created the prop
. Doesn't show in constrain.js
but is built in to KB_builder.js
.prop
, each node
must have at least zero Labels, and each edge exactly one Label.hash_by
and hash
are required for edges, it's optional to obey it, i.e. you can utilize the hash
in your custom query()
, but addEdge
will allow for duplicate edge hash
. In fact, addEdge
hashes by using LabelE
and the hash of the source and target nodes, i.e. there can be only one edge of a unique label between two distinct nodes.{nodes, edges}
{nodes, edges}
(this is rich, requires data-ordering){nodes, edges}
. If delete node => delete edges too. If delete edge, nodes not affected.{nodes, edges}
All knowledge must be created by users, thus the created_by
and updated_by
are mandatory fields. We keep to using user ID as the hash string since it's the only constant hash, and is universal to all adapters. Whereas the use of username as hash, despite its convenience, is costly whenever it is changed (update is O(2n)
).
As a tradeoff, we will provide an easy lookup function to yield the user node on inputing an ID, or any node with an authorship. For the timestamp, we will provide a chrono method too. (soon)
<userHash>#<hashStr>
.(user1)-[:assigns]->(task)-[:to]->(user2)
, so (n)-[:to]->(user)
implies n
is given, or belongs, to user
. i.e. path/relationship transition(a)-[:assigns]->(t)
, then transition by tenses: (a)->[:assigned]->(t)
. Deprecation by past-tense. Ohh you can also do continuing tense, like (c)-[:doing]->(t)
. Preference: (a)-[:prefers]->(sushi:lunch); (a)-[:prefers]->(cold:weather)
(source)-[action]->(outcome)
, as (gdoc1)-[ref]-(gdoc2)
, so parses action
to a standard value, .e.g. maps {links, link, refers, refs} => ref
, using word2vec and metric closeness. Then parse source
and outcome
by MATCH
and hash
.add <notes>
parses into (kengz)-[adds]->(<notes>)
.Jan 2016
mocha
using chai
library for test; coverage by istanbul
.<filter>
then RETURN|DELETE|DETACH DELETE
cons.now
uses the ISO 8601 format, e.g. 2016-01-22T15:07:25.550Z
NODE_ENV=development
: all labels created will be prepended with 'test_'. This allows one to isolate the effects of devs and tests from the KB, as well as easy cleaning post-test.cons.legalize
also acts as a quick legal prop constructorsorter, picker
as transformer methodsflattenIndex
as generic matrix-to-string formatterlib/constrain.js
for chainingFAQs
A graph knowledge base implemented in neo4j.
We found that neo4jkb demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.