Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Comparing two JSON files presents an issue when the two files have certain fields which are dynamically generated (e.g. timestamps), variable ordering, or other fields which need to be excluded or undergo specialized comparison for one reason or another. Enter custom-json-diff, which allows you to specify fields to ignore in the comparison and sorts all fields.
pip install custom-json-diff
Note, you may use cjd
rather than custom-json-diff
to run.
usage: custom-json-diff [-h] [-v] -i INPUT INPUT [-o OUTPUT] [-c CONFIG] [-x EXCLUDE] [--debug] {preset-diff} ...
positional arguments:
{preset-diff} subcommand help
preset-diff Compare CycloneDX BOMs or Oasis CSAFs
options:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-i INPUT INPUT, --input INPUT INPUT
Two JSON files to compare - older file first.
-o OUTPUT, --output OUTPUT
Export JSON of differences to this file.
-c CONFIG, --config-file CONFIG
Import TOML configuration file (overrides commandline options).
-x EXCLUDE, --exclude EXCLUDE
Exclude field(s) from comparison.
--debug Print debug messages.
preset-diff usage
usage: custom-json-diff preset-diff [-h] [--allow-new-versions] [--allow-new-data] [--type PRESET_TYPE] [-r REPORT_TEMPLATE] [--include-extra INCLUDE] [--include-empty] [--bom-profile BOM_PROFILE]
options:
-h, --help show this help message and exit
--allow-new-versions, -anv
BOM only - allow newer versions in second BOM to pass.
--allow-new-data, -and
Allow populated values in newer BOM or CSAF to pass against empty values in original BOM/CSAF.
--type PRESET_TYPE Either bom or csaf
-r REPORT_TEMPLATE, --report-template REPORT_TEMPLATE
Jinja2 template to use for report generation.
--include-extra INCLUDE
BOM only - include properties/evidence/licenses/hashes/externalReferences (list which with comma, no space, inbetween).
--include-empty, -e Include keys with empty values in summary.
--bom-profile BOM_PROFILE, -b BOM_PROFILE
Beta feature. Options: gn, gnv, nv -> only compare bom group/name/version.
CJD offers advanced diffing for Cyclonedx BOM (v1.5 or v1.6) produced by CycloneDx Cdxgen and Oasis CSAF v2 produced by OWASP-dep-scan.
The preset-diff --type bom
command compares CycloneDx BOM components, services, and dependencies, as well as data
outside of these parts.
Some component fields are excluded from the component comparison by default but can be explicitly
specified for inclusion using preset-diff --include-extra
and whichever field(s) you wish to include (e.g.
--include-extra properties,evidence,licenses
:
You can use the -x --exclude switch before the preset-diff command to exclude any of these (see Specifying fields to exclude) except for bom-ref, as that is needed for the comparison - if the bom-ref includes a version, that part can be excluded as needed (see Allowing newer versions).
Default included fields:
bomFormat metadata specVersion version
components:
services
dependencies
vulnerabilities
CSAF diffing includes the following fields at this time. Only the vulnerabilities section uses the allows new data option. Fields can be excluded using the -x --exclude as described for bom diffing except for title as that is currently being populated by depscan with the bom-ref of the vulnerability as a unique id.
document
product_tree
vulnerabilities
[Currently BOM only] The --allow-new-versions option attempts to parse component versions and ascertain if a discrepancy is attributable to an updated version. Dependency refs and dependents are compared with the version string removed rather than checking for a newer version.
The --allow-new-data option allows for empty fields in the original BOM not to be reported as a difference when the data is populated in the second specified BOM. It also addresses when a field such as properties is expanded, checking that all original elements are still present but allowing additional elements in the newer BOM.
The --components-only option only analyzes components, not services, dependencies, or other data.
You may use the builtin report templates or create one of your own. The variables available to you for each preset type are as follows.
BOM
CSAF
To exclude fields from comparison, use the -x
or --exclude
flag and specify the field name(s)
to exclude. The json will be flattened, so fields are specified using dot notation. For example:
{
"field1": {
"field2": "value",
"field3": [
{"a": "val1", "b": "val2"},
{"a": "val3", "b": "val4"}
]
}
}
is flattened to:
{
"field1.field2": "value",
"field1.field3.[0].a": "val1",
"field1.field3.[0].b": "val2",
"field1.field3.[1].a": "val3",
"field1.field3.[1].b": "val4"
}
To exclude field2, you would specify field1.field2
. To exclude the a
field in the array of
objects, you would specify field1.field3.[].a
(do NOT include the array index, just do []
).
Multiple fields may be specified separated by a comma (no space). To better understand what your fields should
be, check out json-flatten, which is the package used for this function.
custom-json-diff will sort the imported JSON alphabetically. If your JSON document contains arrays of objects, you will need to specify any keys you want to sort by in a toml file or use a preset. The first key located from the provided keys that is present in the object will be used, so order any keys provided accordingly.
[settings]
excluded_fields = []
sort_keys = ["url", "content", "ref", "name", "value"]
[preset_settings]
type = "bom"
allow_new_data = false
allow_new_versions = true
components_only = false
include_extra = ["licenses", "properties", "hashes", "evidence", "externalReferences"]
report_template = "custom_json_diff/bom_diff_template.j2"
FAQs
CycloneDx BOM and Oasis CSAF diffing and comparison tool.
We found that custom-json-diff demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.