I need to integrate my saas platform with DAST tools running at the client. (If it is simple (for example CSV, excel) probably it can be imported. Then the saas platform could parse the file and add it as a finding. Then clients can see extra findings).
How can link DAST findings to source code? (if a tool tells you which service/API process was involved in a finding)
Related
I"m looking at converting a dart package (https://pub.dev/packages/sounds) to a federated model using pigeon.
The documentation around combing these two pieces is a little sparse.
Looking at the video_player sample (https://github.com/flutter/plugins/tree/master/packages/video_player/video_player_platform_interface) seems to suggest a federated model as the web platform is separate.
However both the android and ios packages are part of the main package.
Is this just an historical artefact or do the ios and android packages still need to be part of the main plugin?
If they can be separated out what is the correct package(s) structure?
Are then any open source plugins that use pigeon in a fully federated model that could be used as samples?
Having the iOS and Android projects inside of the main package is the standard as of now. I looks like there's discussion around generating federated plugins when running flutter create.
There is an article on the url_launcher federated plugin model refactor which is helpful for figuring out the FS structure:
https://medium.com/flutter/how-to-write-a-flutter-web-plugin-part-2-afdddb69ece6
https://github.com/flutter/plugins/tree/master/packages/url_launcher
As far as Pigeon is concerned, because Pigeon is in pre-release and the federated plugin design is fairly new, I doubt there are any fully federated open source packages using Pigeon. However it seems like your message spec would be owned by the my_plugin_platform_interface package and the generated code would be copied over to your platform specific package e.g. my_plugin_ios, my_plugin_android, my_plugin_macos, etc.
Hope that's of some use.
Why is video_player's android and iOS code not federated?
Is this just an historical artefact or do the ios and android packages still need to be part of the main plugin?
It appears to either be:
a convenience: flutter create will create a package easily with android/ios boilerplate
historical artefact: They might have created the package before federated plugins were released. (This is why people have requested the flutter create plugin template to generated a federated plugin automatically).
Correct package structure
If they can be separated out what is the correct package(s) structure?
They can be separated out.
For pigeon specifically, you can put the Dart generated code (from Pigeon) in your Platform specific interface, and your Native platform generated code (from Pigeon) in your platform specific package.
In your platform specific package, you should declare it to be a federated plugin (see docs and url_launcher), where url_launcher is the app facing package in that example:
flutter:
plugin:
implements: url_launcher
platforms:
macos:
pluginClass: UrlLauncherPlugin
fileName: url_launcher_macos.dart
Example package
If you take a look at url_launcher, all platforms have federated plugin packages.
Why federate
The advantage of creating a separate platform specific package is that a user can override the default implementation. For video_player, a user cannot override Android or iOS implementation because it is in the app-facing package.
More reading
After writing the above, I found this GitHub issue which goes over a lot of our concerns: https://github.com/woodemi/quick_flutter.brick/issues/22
I have a very frequent test scenario that requires a new Google account every run.
Is there anything that can automate Google account creation like a script or utility or perhaps even an Android app of some sort?
Thanks.
You can try with some automation tools to automate browsers and create new accounts. Some tools may be helpful:
Microsoft Excel (Automate browser using VBA)
https://www.autoitscript.com/site/autoit/downloads/
https://www.macrorecorder.com/
https://www.jitbit.com/macro-recorder/
A lot more tools are available on the web. Test few tools to find the one that fits your needs.
Suppose I have Rails 4 app, call it "Super SaaS". Now my client says he likes my appvery much, but he doesn't want his data to be in the cloud. So he says he would buy a licience from me to deploy "Super SaaS" on his own server. More like Atlassian Jira.
The question is: is there any secure way(in terms of protecting source code) to do that?
While you can probably package up your code as a JRuby application with JAR files and Java byte code, there are decompilers for that, so you can never presume your source to be 100% secure.
Ideally you'd offer some sort of VM appliance that the customer can install, a system image compatible with VMWare or whatever virtualization system they're using. This helps package up a fairly secure environment, but won't protect against a determined adversary trying to get your source code.
If you're giving out your code to someone in any form, compiled or otherwise, you have to have a certain amount of trust. Even compiled executables are not immune to reverse-engineering.
We outsourced the development of Blackberry 5, 6, and 7 apps. Please bare in mind that I have absolutely no knowledge of Blackberry development at all.
Development is complete, and they have sent us the source code - a collection of .cod, .csl, .cso, .debug, .jad and .rapc files.
I would at least like to review the code in terms of it's consistency and standards - somewhat a measure of the quality. Clean code is not something specific to any one platform.
I have tried to open each of these files in notepad, but with no source code found.
Please advise me on what I need before I go pay them a visit.
The files you have been given are the files that are created as part of the build of your project and the resultant executable files. There is no source included here.
In a BB OS Build, regardless of the development environment used, the Java source files will all have the suffix .java, and the assets (images etc.) will have a suffix appropriate to the asset (like .png). If you don't see these file suffixes, then you have not been given the actual source. You should be able to view the java files using Notepad, the other files will open in an appropriate application (like paint).
To get the complete source, you should just ask the full 'project' files for your development. This will be a directory with a number of sub directories. The actual names used and the structure will depend on the development tool. If your developer is using Eclipse, then the two important directories are called src for source and res (resources) for the assets. If they are using another development environment, then the directories might have different names. So you should ask them what development environment they are using too.
Two other points:
1) If you are paying for this development and wish to review the code, but are not familiar with Java, then I would recommend that you pay someone to review the code who has knowledge of BB Java. There are two reasons for this:
(a) you will not be able to form a judgement on the appropriateness of the code without some understanding of Java, and
(b) you will not understand if the correct BB Java approaches have been used.
You need to be cautious about this, because programmers will always find fault in other developer's code. The question is how significant the faults are.
2) Some developers might be wary of giving source to their client while some payment is outstanding.
Apache Maven is a very popular build and dependency management tool in the Java open source ecosphere. I did some tests to find out if it can handle compiled Free Pascal / Delphi units and found it easy to implement. So it would be possible to
release open source libraries precompiled for Free Pascal (or Delphi) in a public Maven repository
include metadata in this repository which contains dependency information
use Maven on the command line to download the open source library from the public repository, and automatically resolve all dependencies
local repositories, working as proxies, could be used to cache frequently used binaries
automatic checksum generation and verification (provided by Maven) would reduce the risk of downloading corrupted binaries
source code and even documentation files could be provided with the binaries
binaries can be provided with or without debug information
continuous integration servers like Hudson, TeamCity or CruiseControl can be used to build projects whenever changes have been submitted to the source control system and notify developers about build errors
This way of dependency management could be very beneficial for open source projects which use many third party libraries with complex dependencies. It would avoid typical conflicts caused by using wrong versions.
For the developer, the workflow for editing and building a project would be reduced to a minimum:
checkout the project source from internal version control system
edit source file(s)
run mvn package to automatically download all required third party libraries (precompiled units) if they are not yet in the workstation's local repository
compile and run
The only additional file for Apache Maven which is required in the project folder is the POM.XML file containing the project information.
Edit: while Maven is usable for some of the required tasks, implementing a solution like Maven in native Free Pascal would have some advantages: no Java SDK required, support for all development platforms where Free Pascal is available, maintenance and plugin development in Pascal.
Usage of a Maven-like tool would not be helpful for open source projects only - commercial projects could access and use the artifacts in public Maven repositories in the same way as well.
Maven features are listed at http://maven.apache.org/maven-features.html
Update:
one use case could be the build of Lazarus, where Maven would download all required libraries and invoke the compiler with the necessary build path arguments. Changes in the dependencies on lower levels would be propagated automatically up to the parent build.
Possible benefits:
less time needed to set up a new work
station, no manual installation of
third party libraries required
less errors caused by wrong library
versions, detection of version
conflicts (for example if two
libraries depend on different
versions of a third library)
artifacts which are created inhouse
can be added to the local maven
repository and shared between
developers and project, central
storage of all artifacts with
metadata
builds are reproducible, just by
using the same source and project
metadata file (pom.xml)
can reduce development time and
increase project stability
Update #2: FPMake
the FPMake build system for Free Pascal seems to be a tool with much potential, in many details it is quite similar to Maven:
FPMake is a pascal based build system developed for and distributed with FPC
FPMake standardizes the building by defining some limits like standard directories
the command fppkg <packagename> will look in a database for the package, extract it, and then compile fpmake.pp and run it
it has standard build targets (clean, build, install, ...)
it can create a 'manifest' file suitable for import into a repository (like mvn deploy or mvn install), the manifest is an XML file which looks very similar to a pom.xml in Maven:
FPMake manifest file:
<packages>
<package name="my-package">
<version major="0" minor="7" micro="6" build="1"/>
<filename>my-package-0.7.6-1.zip</filename>
<author>my name</author>
<license>GPL</license>
<homepageurl>http://www.freepascal.org/</homepageurl>
<email>myname#freepascal.org</email>
<description>this is the package description</description>
<dependencies>
<dependency>
<package packagename="rtl"/>
</dependency>
</dependencies>
</package>
</packages>
Freepascal has been working on a package system of its own in a cross between apt-get and freebsd ports style. (download source/build/install automatically), called fppkg.
However work has stalled. People investing time are the bottleneck, not people wanting to choose tools.
As far as Maven goes, I don't like auxilary tools that need installation of huge external runtimes. It might be fine for a big major app (like Open Office), but not for an util.
I also prefer a tool that is designed to the FPC reality and workflow.
Documentation tools, build tools, download systems, testsuite systems are already all there, it just need a person that dedicates a lot of time into it to make it happen.
Some typical problems when introducing a new technology in a project as FPC, and why it has a tendency to make its own tools:
need to train 20+ committers in parttime.
The only COMMON programming language you can assume is Free Pascal. Even Delphi inner workings can't be taken for granted to be known (many committers came directly to FPC or even still via TP or a Mac Pascal)
Obviously that makes something with plugins in a different language annoying.
Bash script is a close second. (g)make third, but already a magnitude less.
All servers are *nix-like (FreeBSD, OS X, Linux), but not all run Apache. (e.g. my FreeBSD mirror runs XSHTTPD)
somebody most knowledgable must be dedicated maintainer for a long time. Fix problems, update/ do migrations etc. Perferably more than one for obvious reasons.
a major pain are Linux distributions (and FreeBSD to a lesser degree), most maintainers of *nix packages are not capable of more than "./configure;make;make install", and must be spoonfed with a near buildable repository and auxilary files.
In-distribution packaging of FPC/Lazarus has always been important, and is still increasing
All distributions have their own special rules about metadata, depedancies, and how sources must be published. Particularly Debian/Ubuntu is very bureaucratic and slow.
Most don't like third party auto-installers on top of their systems (since that bypasses their dependancy control)
This all leads to the effective practice that own tools in Pascal with minimal scripting work best. Some tools used:
Gmake is mainly used to parameterise the build process on a per directory level, a successor, fpcmake (not really a make derivative despite the name) has begun, but the migration hasn't completed.
Latex and a latex to html conversion (tex4ht, but debian uses hevea) are used in the documentation building (the non library documentation)
The community site (netscape community server which uses TCL scripting, a heavy complex application server) has been a trouble ever since it started, but specially lately since the maintainer became less active.
Mantis has been a problem (specially the email module would crash or lame the server due to the volume), but it has been whipped into shape during successive updates and hard work of several lazarus devels. Currently it is a decent workhorse.
lazarus.freepascal.org PHPBB forum OTOH is relatively painless since a lot of younger people know how to deal with it.
The same goes for subversions (though the more advanced scale needs some adjusting, not everybody is deep into the ins and outs of mergetracking)
If somebody was really serious about Maven, I usually would ask him:
to CRITICIALLY investigate the use for the project. In a very concrete way, with schedule and time estimates. Birds-eye level "everything's possible" overviews are essentialy worthless.
Give some thought on future change of used technologies. Every technology is eventually replaced, even the in-house ones, in 18 year+ projects. A new technology must not make migrations of other infrastructural components hard or involved. The new technology to end all new technologies doesn't exist.
Make a migration plan. Migration is often underrated and underestimated.
And in the end, there is always the 1000000 Euro question, who will do the daily maintenance?
Keep in mind that in a company you just kick the person responsible for the application server. But in an informal environment this is way harder, specially long term, since people's lives, occupations and time spent on the project vary.
Sounds like an interesting plan, but the Delphi community (and FPC even more so, I'd imagine!) values libraries as source far more than precompiled libraries. The general consensus is that anyone who uses a binary-only library is a fool, for two reasons: You can't fix any bugs you find in it, and compiler changes will break compatibility.