Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
npm
to be at least version 7 (npm install --global npm@^7
)npm install -g bids-validator
bids-validator
to start validating datasets.docker run -ti --rm -v /path/to/data:/data:ro bids/validator /data
but replace the /path/to/data
part of the command with your own path on your machine.pip install bids_validator
to acquire the
BIDS Validator PyPI package
or conda install bids-validator
for the
Conda package.python
from bids_validator import BIDSValidator
BIDSValidator().is_bids('/relative/path/to/a/bids/file')
/
must be added to the file path.The BIDS Validator is designed to work in both the browser and in Node.js. We target support for the latest long term stable (LTS) release of Node.js and the latest version of Chrome.
There is also a library of helper functions written in Python, for use with BIDS compliant applications written in this language.
Please report any issues you experience while using these support targets via the GitHub issue tracker. If you experience issues outside of these supported environments and believe we should extend our targeted support feel free to open a new issue describing the issue, your support target and why you require extended support and we will address these issues on a case by case basis.
This project follows the all-contributors specification. Contributions of any kind are welcome!
The project is maintained by @rwblair with the help of many contributors listed below. (The emoji key is indicating the kind of contribution)
Please also see Acknowledgments.
The BIDS Validator has one primary method that takes a directory as either a path to the directory (node) or the object given by selecting a directory with a file input (browser), an options object, and a callback.
Available options include:
For example:
validate.BIDS(directory, {ignoreWarnings: true}, function (issues, summary) {console.log(issues.errors, issues.warnings);});
If you would like to test individual files you can use the file specific checks that we expose.
Additionally you can reformat stored errors against a new config using validate.reformat()
Optionally one can include a .bidsignore
file in the root of the dataset. This
file lists patterns (compatible with the .gitignore syntax)
defining files that should be ignored by the validator. This option is useful
when the validated dataset includes file types not yet supported by BIDS
specification.
*_not_bids.txt
extra_data/
You can configure the severity of errors by passing a json configuration file
with a -c
or --config
flag to the command line interface or by defining a
config object on the options object passed during javascript usage.
If no path is specified a default path of .bids-validator-config.json
will be used. You can add this file to your dataset to share dataset specific validation configuration. To disable this behavior use --no-config
and the default configuration will be used.
The basic configuration format is outlined below. All configuration is optional.
{
"ignore": [],
"warn": [],
"error": [],
"ignoredFiles": []
}
ignoredFiles
takes a list of file paths or glob patterns you'd like to ignore.
Lets say we want to ignore all files and sub-directory under /derivatives/
.
This is not the same syntax as used in the .bidsignore file
{
"ignoredFiles": ["/derivatives/**"]
}
Note that adding two stars **
in path makes validator recognize all files and
sub-dir to be ignored.
ignore
, warn
, and error
take lists of issue codes or issue keys and change
the severity of those issues so they are either ignored or reported as warnings
or errors. You can find a list of all available issues at
utils/issues/list.
Some issues may be ignored by default, but can be elevated to warnings or errors. These provide a way to check for common things that are more specific than BIDS compatibility. An example is a check for the presence of a T1w modality. The following would raise an error if no T1W image was found in a dataset.
{
"error": ["NO_T1W"]
}
In addition to issue codes and keys these lists can also contain objects with and "and" or "or" properties set to arrays of codes or keys. These allow some level of conditional logic when configuring issues. For example:
{
"ignore": [
{
"and": [
"ECHO_TIME_GREATER_THAN",
"ECHO_TIME_NOT_DEFINED"
]
}
]
}
In the above example the two issues will only be ignored if both of them are triggered during validation.
{
"ignore": [
{
"and": [
"ECHO_TIME_GREATER_THAN",
"ECHO_TIME_NOT_DEFINED"
{
"or": [
"ECHO_TIME1-2_NOT_DEFINED",
"ECHO_TIME_MUST_DEFINE"
]
}
]
}
]
}
And in this example the listed issues will only be ignored if
ECHO_TIME_GREATER_THAN
, ECHO_TIME_NOT_DEFINED
and either
ECHO_TIME1-2_NOT_DEFINED
or ECHO_TIME_MUST_DEFINE
are triggered during
validation.
"or" arrays are not supported at the lowest level because it wouldn't add any functionality. For example the following is not supported.
{
"ignore": [
{
"or": [
"ECHO_TIME_GREATER_THAN",
"ECHO_TIME_NOT_DEFINED"
]
}
]
}
because it would be functionally the same as this:
{
"ignore": [
"ECHO_TIME_GREATER_THAN",
"ECHO_TIME_NOT_DEFINED"
]
}
For passing a configuration while using the bids-validator on the command line, you can use the following style to for example ignore empty file errors (99) and files that cannot be read (44):
bids-validator --config.ignore=99 --config.ignore=44 path/to/bids/dir
This style of use puts limits on what configuration you can require, so for complex scenarios, we advise users to create a dedicated configuration file with contents as described above.
The BIDS Validator currently works in the browser with browserify
or webpack. You can add it to a project by cloning
the validator and requiring it with browserify syntax
const validate = require('bids-validator');
or an ES2015 webpack import
import validate from 'bids-validator'
.
The BIDS validator works like most npm packages. You can install it by running
npm install bids-validator
.
If you install the bids validator globally by using npm install -g bids-validator
you will be able to use it as a command line tool. Once installed you should be
able to run bids-validator /path/to/your/bids/directory
and see any validation
issues logged to the terminal. Run bids-validator
without a directory path to
see available options.
To use bids validator with docker, you simply need to install docker on your system.
And then from a terminal run:
docker run -ti --rm bids/validator --version
to print the version of the
docker imagedocker run -ti --rm bids/validator --help
to print the helpdocker run -ti --rm -v /path/to/data:/data:ro bids/validator /data
to validate the dataset /path/to/data
on your host machineSee here for a brief explanation of the commands:
docker run
is the command to tell docker to run a certain docker image,
usually taking the form docker run <IMAGENAME> <COMMAND>
-ti
flag means the inputs are accepted and outputs are printed to the
terminal--rm
flag means that the state of the docker container is not saved
after it has run-v
flag is adding your local data to the docker container
(bind-mounts). Importantly,
the input after the -v
flag consists of three fields separated colons: :
/path/to/data
ro
to specify that the
mounted data is read onlyThere are is a limited library of helper functions written in Python. The main function
determines if a file extension is compliant with the BIDS specification. You can find
the available functions in the library, as well as their descriptions,
here.
To install, run pip install -U bids_validator
(requires python and pip) or
conda install bids-validator
(requires a Conda environment).
from bids_validator import BIDSValidator
validator = BIDSValidator()
filepaths = ["/sub-01/anat/sub-01_rec-CSD_T1w.nii.gz", "/sub-01/anat/sub-01_acq-23_rec-CSD_T1w.exe"]
for filepath in filepaths:
print(validator.is_bids(filepath)) # will print True, and then False
Note, the file path must be relative to the root of the BIDS dataset, and a
leading forward slash /
must be added to the file path.
To develop locally, clone the project and run npm install
from the project
root. This will install external dependencies. If you wish to install
bids-validator
globally (so that you can run it in other folders), use the
following command to install it globally: cd bids-validator && npm install -g
(for windows users, if in a different drive add /d, e.g. cd /d F:\bids-validator && npm install -g
)
Please see the CONTRIBUTING.md for additional details.
bids-validator is bundled with esbuild. While developing, the script bids-validator/bin/bids-validator
will automatically bundle the project each time it is run. To test a build without publishing it npm -w bids-validator run build
. This will generate a bids-validator/dist directory containing the local build and bids-validator/bin/bids-validator
will use this build. To return to automatic bundling on each run, remove the dist directory.
A note about OS X, the dependencies for the browser require a npm package called node-gyp which needs xcode to be installed in order to be compiled.
bids-validator
lives in the repo subdirectory
/bids-validator-web
. It is a React.js application
that uses the next.js framework.bids-validator
and see how it will act in the browser, simply run
npm run web-dev
in the project root and navigate to localhost:3000
./bids-validator
in the codebase will also be reflected in the
web application./bids-validator-web/tests
.
We can always use more tests, so please feel free to contribute a test that reduces the chance
of any bugs you fix!npm run web-export
If it's your first time running tests, first use the command git submodule update --init --depth 1
to pull the test example data. This repo contains the bids-examples github repository as a submodule.
To start the test suite run npm run test
from the project root. npm run test -- --watch
is useful to run tests while making changes. A coverage report is available with
npm run coverage
.
To run the linter which checks code conventions run npm run lint
.
Global installs are not recommended for development because of the possibility of package conflicts with other Node.js projects. If you do need to test with a global install from a development tree, follow these steps to generate the NPM package without publishing it and install the package locally.
npm -w bids-validator run build
npm -w bids-validator pack
npm install -g bids-validator-*.tgz
Publishing is done with Lerna. Use the command npx lerna publish
and follow instructions to set a new version.
Using lerna publish will create a git commit with updated version information and create a version number tag for it, push the tag to GitHub, then publish to NPM and PyPI. The GitHub release is manual following that.
Many contributions to the bids-validator
were done by members of the
BIDS community. See the
list of contributors.
A large part of the development of bids-validator
is currently done by
Squishymedia, who are in turn financed through
different grants offered for the general development of BIDS. See the list
below.
Development and contributions were supported through the following federally funded projects/grants:
FAQs
Validator for the Brain Imaging Data Structure
We found that bids-validator demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.ย It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.