{"id":44332243,"url":"https://github.com/secvisogram/csaf-cms-backend","last_synced_at":"2026-02-11T10:09:33.225Z","repository":{"id":38086568,"uuid":"447612476","full_name":"secvisogram/csaf-cms-backend","owner":"secvisogram","description":"CSAF CMS Backend is a REST-based backend to support the creation and management of CSAF 2.0 documents ","archived":false,"fork":false,"pushed_at":"2025-11-17T12:59:33.000Z","size":1738,"stargazers_count":10,"open_issues_count":8,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-11-17T14:34:19.364Z","etag":null,"topics":["csaf","csaf-cms-backend","mit-license"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secvisogram.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-01-13T13:37:17.000Z","updated_at":"2025-11-17T12:59:32.000Z","dependencies_parsed_at":"2024-03-01T10:48:24.234Z","dependency_job_id":"e1e72833-54ab-4249-9b3a-8b2643234349","html_url":"https://github.com/secvisogram/csaf-cms-backend","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/secvisogram/csaf-cms-backend","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secvisogram%2Fcsaf-cms-backend","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secvisogram%2Fcsaf-cms-backend/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secvisogram%2Fcsaf-cms-backend/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secvisogram%2Fcsaf-cms-backend/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secvisogram","download_url":"https://codeload.github.com/secvisogram/csaf-cms-backend/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secvisogram%2Fcsaf-cms-backend/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29331740,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T06:13:03.264Z","status":"ssl_error","status_checked_at":"2026-02-11T06:12:55.843Z","response_time":97,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csaf","csaf-cms-backend","mit-license"],"created_at":"2026-02-11T10:09:31.746Z","updated_at":"2026-02-11T10:09:33.220Z","avatar_url":"https://github.com/secvisogram.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BSI Secvisogram CSAF Backend\n\n![Coverage](https://raw.githubusercontent.com/secvisogram/csaf-cms-backend/badges/.github/badges/jacoco.svg)\n\n- [About The Project](#about-the-project)\n- [Getting started](#getting-started)\n- [How to use](#how-to-use)\n- [Developing](#developing)\n- [Contributing](#contributing)\n- [Dependencies](#dependencies)\n\n## About The Project\n\nThis is the backend for a Content Management System for CSAF documents.\nIt offers a REST service for listing, searching, deleting, creating, commenting on and exporting CSAF documents.\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n## Getting started\n\nTo run the CSAF CMS server you need the following:\n\n- [Keycloak](https://www.keycloak.org/)\n- A proxy like [oauth2-proxy](https://oauth2-proxy.github.io/oauth2-proxy/)\n- [CouchDB](https://couchdb.apache.org/)\n\nYou can find an example setup for local development in the 'compose.yaml' and\nan example configuration for Keycloak in 'keycloak/csaf-realm.json'. You can\ntake this as a starting point, but please check the documentation of the\nindividual projects for a proper production setup. We also recommend\nrunning everything behind some kind of reverse proxy. Please take a look at our\n[Architecture](https://github.com/secvisogram/csaf-cms-backend/blob/main/documents/BSISecvisogramArchitecture.drawio.svg)\nfor an overview.\n\nThe [secvisogram](https://github.com/secvisogram/secvisogram) frontend is usable\nas a standalone version without this server. You can still use this standalone\nmode if the frontend is not behind the proxy, like in the development setup.\nIn this setup where both standalone and server mode are available, the login is\nonly required to manage documents on the server or validate against the\n[validator service](https://github.com/secvisogram/csaf-validator-service).\n\nTo build the application run:\n\n```shell\n./mvnw package\n```\n\nThe resulting jar file in the `target` folder can then be run with\n`java -jar filename.jar`. To manage the process you can use Docker or an init\nsystem of your choice.\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n## How to use\n\nPlease have a look at the [API documentation](https://secvisogram.github.io/csaf-cms-backend/) on how to use this application.\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n### Management of tracking information\n\nThe system automatically manages information under `document/tracking` of CSAF documents.\nThe revision history is managed as described in the [architecture decisions document](documents/architecture-decisions.md).\n\nThe tracking ID is automatically set to a temporary ID when creating a new advisory and updated to a final ID when the document is published.\nFor generating the tracking IDs, a company name should be set in the environment variable `CSAF_TRACKINGID_COMPANY`.\nThe variable `CSAF_TRACKINGID_DIGITS` defines the number of digits used in the tracking ID. It defaults to 5 if nothing is set.\nIf `CSAF_REFERENCES_BASE_URL` is defined, a reference in `document/references` with the set URL is added when publishing the document.\nSee **.env.example** for an example configuration.\n\n### Management of engine data\n\nWhen creating or updating an advisory, the information for `document/tracking/engine` is updated.\nThe `name` and `version` are set according to the corresponding values of the backend's build. \n\n### Importing\n\nExisting valid and published advisories can be imported on startup of the application.\nThe advisories to be imported must be stored in JSON format in a directory called `import` in the root directory.\nDuplicates are identified by their tracking ID and not imported again.\n\n## Developing\n\nThe configuration of the application as well as the compose file is done in\na local **.env** file. To start, simply copy the **.env.example** file to **.env**.\nIf you want different passwords, database names or ports you can change them\nin that file. Please note that the following setup is for development purposes\nonly and should not be used in production.\n\n```mermaid\n   C4Component\n    title Component diagram for CSAF CMS Backend\n\n    Person(user,\"User\")\n    Container(reverseproxy, \"Reverse-Proxy\", \"nginx\")\n    \n    Container_Boundary(c4, \"Internal\") {\n        Container(secvisogram, \"Secvisogram\", \"nginx + javascript\", \"Provides secvisogramm via their web browser.\")\n\n        Container_Boundary(c2, \"Keycloak\") {\n            Container(keycloak, \"Keycloak\", \"keycloak\")\n            ContainerDb(keycloak-db, \"PostGreSQL\", \"Keycloak-Database\")\n        }\n\n        Container_Boundary(c3, \"Oauth\") {\n            Container(oauth, \"OAuth2-Proxy\", \"Authentication for REST-API\")\n            Container(validator, \"CSAF validator service\", \"node\")\n\n            Container_Boundary(c1, \"Backend\") {\n                Container(backend, \"CSAF-CMS-Backend\", \"Spring Boot\")\n                ContainerDb(backend-db, \"CouchDB\", \"CMS-Backend-Database\")\n            }\n        }\n    }\n\n    Rel(user, reverseproxy,\"\",\"HTTPS\")\n    Rel(reverseproxy, secvisogram,\"/\")\n    Rel(reverseproxy, oauth,\"/api/*\")\n    Rel(reverseproxy, keycloak,\"/realm/csaf/\")\n    Rel(oauth, validator, \"/api/v1/test\")\n    Rel(oauth, validator, \"/api/v1/validate\")\n    Rel(oauth, backend, \"/api/v1/advisories/*\")\n    Rel(backend, backend-db,\"\")\n    Rel(backend, keycloak,\"\")\n    Rel(keycloak, keycloak-db,\"\")\n   \n\n```\n\n- run `docker compose up -d` in folder `docker`\n- To set up our CouchDB server open `http://127.0.0.1:5984/_utils/#/setup`\n  and run the [Single Node Setup](https://docs.couchdb.org/en/stable/setup/single-node.html). This creates databases like **_users** and stops CouchDB from spamming our logs (Admin credentials from docker/.env)\n- Create a database in CouchDB with the name specified in `CSAF_COUCHDB_DBNAME`\n- run `docker compose up keycloak-setup` to initialize Keycloak.\n- Open `http://localhost:9000/` and log in with the admin user, that is specified in `CSAF_KEYCLOAK_ADMIN_USER` and `CSAF_KEYCLOAK_ADMIN_PASSWORD`.\n    - The port is defined in docker/.env - CSAF_KEYCLOAK_PORT, default 9000.\n    - Select `CSAF`-Realm\n    - On the left side, navigate to \"Clients\" and select the Secvisogram client.\n    - Select the **Credentials** tab and copy the Secret. This is our\n      `CSAF_CLIENT_SECRET` environment variable.\n- [Generate a cookie secret](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#generating-a-cookie-secret)\n  and paste it in `CSAF_COOKIE_SECRET`.\n- restart `docker compose down` and `docker compose up -d`\n- (required for exports) install [pandoc (tested with version 2.18)](https://pandoc.org/installing.html)\n  as well as [weasyprint (tested with version 56.0)](https://weasyprint.org/) and make sure both are in\n  your PATH\n- (optional for exports) define the path to a company logo that should be used in the exports through the environment variable `CSAF_COMPANY_LOGO_PATH`. The path can either be relative to the project root or absolute. See .env.example file for an example.\n- start CSAF-CMS-Backend with `./mvnw spring-boot:run`\n\nYou should now be able to start the spring boot application, navigate to\n`http://localhost/api/v1/about`, log in with one of the users and get a\nresponse from the server.\n\nYou should now be able to access Secvisogram, navigate to `http://localhost/`.\nThere are the following default users:\n\n|User       |Password   |Roles                                                        |\n|-----      |--------   |-----                                                        |\n|registered |registered |**registered**                                               |\n|author     |author     |registered, editor, **author**                               |\n|editor     |editor     |registered, **editor**                                       |\n|publisher  |publisher  |registered, editor, **publisher**                            |\n|reviewer   |reviewer   |registered, **reviewer**                                     |\n|auditor    |auditor    |**auditor**                                                  |\n|all        |all        |**auditor, reviewer, publisher, editor, author, registred**  |\n|none       |none       |                                                             |\n\n### Login \u0026 Logout in combination with Secvisogram\n\nSome explantion on the logoutUrl configured in `.well-known/appspecific/de.bsi.secvisogram.json` for Secvisogram\n\n``` \n\"logoutUrl\": \"/oauth2/sign_out?rd=http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost\u0026client_id=secvisogram\", \n```\n\n`/oauth2/sign_out` is the logout URI from the OAUTH-Proxy. This will invalidate the session on the proxy. Then, a redirect to Keycloak (`http://localhost/realms/csaf/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost\u0026client_id=secvisogram`) is necessary to log out from the session on Keyloak. Subsequently, there is a redirect back to Secvisogram (`localhost`).\nWhen hostnames are changed, this has to adapted.\n\n### build and execute tests\n\n`` ./mvnw clean verify``\n\n\n### start application\n\n`` ./mvnw spring-boot:run``\n\nwith main class: de.bsi.secvisogram.csaf_cms_backend.SecvisogramApplication\n\n### check application running\n\nThe port is defined in .env - CSAF_CMS_BACKEND_PORT, default 8081.\n\nhttp://localhost:8081/api/v1/about\n\nSwagger UI\n\nhttp://localhost:8081/swagger-ui/index.html\n\nOpenAPI specification\n\nhttp://localhost:8081/api-docs\n\n### access couchDB\n\nThe port is defined in .env - CSAF_CMS_BACKEND_PORT, default 5984.\n\n[http://localhost:5984/_utils/#login](http://localhost:5984/_utils/#login)\n\nCouchDb Info (port is defined in .env):\n\n[http://localhost:5984/](http://localhost:5984/)\n\n## Contributing\n\nYou can find our guidelines here [CONTRIBUTING.md](https://github.com/secvisogram/secvisogram/blob/main/CONTRIBUTING.md)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n## Dependencies\n\n### Check for Maven Plugin update\n\n`` ./mvnw versions:display-plugin-updates `` \n\n## Check for dependency update\n`` ./mvnw versions:display-dependency-updates ``\n\n### Spring Boot\n\n#### Reference Documentation\n\nFor further reference, please consider the following sections:\n\n* [Official Gradle documentation](https://docs.gradle.org)\n* [Spring Boot Gradle Plugin Reference Guide](https://docs.spring.io/spring-boot/docs/2.6.2/gradle-plugin/reference/html/)\n* [Create an OCI image](https://docs.spring.io/spring-boot/docs/2.6.2/gradle-plugin/reference/html/#build-image)\n* [Mustache](https://docs.spring.io/spring-boot/docs/2.6.2/reference/htmlsingle/#boot-features-spring-mvc-template-engines)\n* [Spring Data Couchbase](https://docs.spring.io/spring-boot/docs/2.6.2/reference/htmlsingle/#boot-features-couchbase)\n* [Spring Web](https://docs.spring.io/spring-boot/docs/2.6.2/reference/htmlsingle/#boot-features-developing-web-applications)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### Guides\n\nThe following guides illustrate how to use some features concretely:\n\n* [Building a RESTful Web Service](https://spring.io/guides/gs/rest-service/)\n* [Serving Web Content with Spring MVC](https://spring.io/guides/gs/serving-web-content/)\n* [Building REST services with Spring](https://spring.io/guides/tutorials/bookmarks/)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### Additional Links\n\nThese additional references should also help you:\n\n* [Gradle Build Scans – insights for your project's build](https://scans.gradle.com#gradle)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n### Code Quality Rules\n\n[Exxcellent Code Quality Rules](https://www.exxcellent.de/confluence/pages/viewpage.action?pageId=65113099)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### SpotBugs\n\n- [IntelliJ SpotBugs](https://plugins.jetbrains.com/plugin/14014-spotbugs)\n- [spotbugs-gradle-plugin](https://github.com/spotbugs/spotbugs-gradle-plugin)\n- [find-sec-bugs](https://find-sec-bugs.github.io/)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### Jacoco\n\n- [Jacoco Plugin](https://docs.gradle.org/current/userguide/jacoco_plugin.html#sec:jacoco_report_configuration)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n### Links\n\n#### CSAF\n\n[OASIS CSAF](https://oasis-open.github.io/csaf-documentation/)\n\n[BSI CSAF](https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Industrielle-Steuerungs-und-Automatisierungssysteme/CSAF/CSAF_node.html)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### JSON\n\n- [CSAF 2.0 JSON Schema](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf_json_schema.json)\n- [JSON Schema](https://json-schema.org/draft/2019-09/json-schema-core.html)\n- [JSON Schema Validation](https://json-schema.org/draft/2019-09/json-schema-validation.html)\n- [JSON Hyper-Schema](https://json-schema.org/draft/2019-09/json-schema-hypermedia.html)\n- [CVSS 2.0](https://www.first.org/cvss/cvss-v2.0.json)\n- [CVSS 3.0](https://www.first.org/cvss/cvss-v3.0.json)\n- [CVSS 3.1](https://www.first.org/cvss/cvss-v3.1.json)\n- [JSON API](https://jsonapi.org/)\n- [JSON Patch](http://jsonpatch.com/)\n- [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### Mustache\n\n[Mustache samskivert](https://github.com/samskivert/jmustache)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### PoC for Backend\n\n[PoC Backend](https://github.com/csaf-poc/csaf_backend)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### Open API/ Swagger\n\n[Open API](https://www.openapis.org/)\n[Swagger Annotations](https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Annotations)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n\n#### diagrams.net (formerly known as draw.io)\n\n- [diagrams.net](https://www.diagrams.net/)\n\n- [Intellij Integration](https://plugins.jetbrains.com/plugin/15635-diagrams-net-integration)\n\n[(back to top)](#bsi-secvisogram-csaf-backend)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecvisogram%2Fcsaf-cms-backend","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecvisogram%2Fcsaf-cms-backend","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecvisogram%2Fcsaf-cms-backend/lists"}