 you able to see my screen. Yeah, I can see it. Hello everyone, I'm Darshan Vandra and I'm Associate Software Engineer at Red Hat with me. Yeah, I'm Shubham Mathur. I work as an Associate Software Engineer at Red Hat. And today we'll be talking about Code Red Dependency Analytics. It's an open source plugin which provides smart security for your stack. Yeah, let's move. Yeah, yeah. So the agenda for the session is today we'll try to discuss what are the problems which are faced by developers while developing an application. So like we mostly fall into problems such as what are the dependencies for my stack? What are the things we should use? So we'll be talking about all that stuff. Other than that, we'll be talking about what is code ready dependency analytics extension. Then we'll give you a small demo which will be based on based out on the same extension. And then there'll be a slide which will show you how to get this extension. So the best part of everything is it's an open source. So definitely it will attract you guys a lot. So let's see what what we have for you. Yep. So this slide shows like what problems a developer faces during application development phase. So mostly when when we are developing an application. So in my in my experience, I always face this issue like what is the latest version of a dependency? Am I using the latest version or not? And sometimes I like to visit the GitHub pages like whether what is a GitHub stats? How many stars are to this dependency? What are the license used by this dependency and stuff like that? Now the second concern comes mostly is is my is my application secure. And this is very burning topic right now, right? So this comes a lot like is my application secure. Am I developing an application which is hack proof or is it which is vulnerable proof? So for that we dig deeper and we understand that is is is our dependencies hack proof are they like whether whether a person can hack them or whether they are vulnerable or stuff like that. So these are these are things which come into our brain, right? The third thing which we see is the license like what type of a license we should use for our stack, right? So we go through the content and we understand like, okay, this could be a possible license or this we can use and stuff like that. But there is no place where we could like put our stack and get get an information which type of license we can use, right? And at the same time in this in this scenario when when npm is crossing 1.5 million dependencies, definitely there comes something comes into our brain like what and which dependency is best suited for us like which one to use which is the current burning dependencies for this type of an stack. So these are some things which are developer mostly sees in day to day work, right? These are some problems which which a developer faces, right? So why why am I discussing this about this is this is kind of this the base on which our CRDA platform works upon. So that's why we are talking about the problems we will give a little bit in depth about these problems and then we'll move on to what how CRDA solves them. Yep. Next slide, Darshan. Yeah, so here you can see like how the dependencies are increasing with time, right? So we can see from 2011 to 2020 npm has grown like anything like it said it has beaten like anything the number of dependencies which npm is taking care of is it's it's a lot, right? So this is this is where our first problem comes in, right? Then when there is plenty of dependency and you don't know much about the dependencies. So you need a platform which gives you informations about the dependencies like the GitHub stats, the license and stuff like that, right? What is the latest version? So that's that's that's what I'm trying to make you guys from this slide. Like the dependencies are rising, right? And information about them is something which should be there in this current scenario. Correct. So yeah, next slide. Yeah, now the second thing you can see it is it is a graph from NVD itself. So it says that from 2001 till 2022. How many dependencies fall in weather in which severity section? So this this is a severity distribution over time. So simply it gives like how many dependencies, how many dependencies fall in a high severity section, how many fall in a medium severity, and how many fall in a low severity. So these bar we can definitely understand like in history like in 2001, 2002, the dependencies falling inside vulnerable, high vulnerabilities were pretty low, as well as medium were pretty low. But right now the scenario has changed completely. We can see the red bar is significantly very high and the green following it, right? So the screen means highly severity, severe vulnerability and medium, medium red means like a medium severity, right? So definitely there is vulnerabilities out there. And we need to secure our applications, right? So this this this chart gives a clear indication, right that there is a requirement of security for your stack. Yeah. Next slide session. Other than that, as we know that there are about more than I would say 2500 different open source licenses, right? And each license has a compact. Each license can have a compatibility issue with other licenses, which other dependency licenses, which you are using, right? If you are using multiple dependencies, right, they could internally have license conflict, right? Along with that, there is there is a scenario when you want to know which type of license you should use for your stack. So these are some things which which we definitely face, right? Yeah. Next slide session. Yeah, so this is this is from NPM and the next from Python, PyPy. So this shows that what are the trending dependencies in current time, right? So you can see that most dependent upon packages like what are the dependencies which are used being used most in the recent past few months, right? So like as we saw in the previous slide, the dependencies are rising and new dependencies come every next quarter, right? Every new month, every I would say every week a new dependency comes up, right? So how do you stay updated, right? How do you get to know what are an alternative of dependency which is which people are liking a lot and which can be integrated with your stack, right? So these are some things which which CRDA tackles, right? These are few problems which CRDA takes care of which helps developer to get get your stack as fit as possible to the current requirements. Yep, current scenarios. Yeah. So yeah, on the next slide, I'll I'll explain you what CRDA is. Yeah. So this this CRDA is a is is an extension, the dependency analytics extension, which we can install in our IDs. And then it then it helps us to tag fight all the problems which we discussed. So this CRDA is hosted on OpenShift and it provides services such as analyzing all the security vulnerabilities associated with your stack. It analyzes what what type of a license you should use checks the compatibility, whether which license is best suited for you. And its recommendation engine is so superb that it even gives you the companion packages like what other packages you can use or what other customer application stack people what other people are using and you can like simply have an idea and then you can take it in your stack as well, right? So it even gives you the GitHub stats of the newly recommended dependencies, right? So this is this is how the CRDA platforms helps in fighting those problems, right? So currently, CRDA supports JavaScript, Java and Python. So we need future will be coming up with Golang and more languages. So currently we support JavaScript, Java and Python. Now you may be wondering like how do you identify these vulnerabilities, right? So these vulnerabilities are like we like they are based out on the database by NVD. And now we have in a close partnership with SNCC as well. So we even have the support from SNCC to view the most most advanced vulnerability reports and most advanced vulnerability details about your stack. Other than that, we even use DPI model to identify the recommendations along with that. We also use the yeah, that's all I could say right now that we use deep machine learning AI based algorithm to tackle all these problems. Yeah, for the next slide please. Yeah, yeah, yeah, the next slide is demo. I'll hand it over to Darshan. He'll give you more in depth about the dependency analytics tool via the demo itself. Yeah. Good. You can see I have the dependency analytics plugin installed in my base code extension. Let's see how. So as soon as you will open up manifest file in your dependency analytics plugin installed in this code extension, it will pick it will quickly scan your applications that will like those vulnerabilities, which are vulnerable. So let's see here. And you can see the markdown version 2.2.0 is vulnerable with two known security vulnerabilities with one security advisories. And the security advisories are the security advisories allowed by the SNCC and it is only unique to the SNCC. It is not publicly available. He will also have the spirit of another building. We also, he's also showed the highest one of severity of the banal. Here we can show it's a high. You also see the recommendation version, which recommendation was going to use to avoid this. Let's see how it looks like. Overview summarized message also provide the summarized message is 1747 dependencies out of that 11. It has a non security vulnerabilities and one which is having the security advisories also provide a quick fix. See how quick fix works. So in this diagnostic, we can also do a quick fix for this. You can see the version exchange from 2.2.0 to 2.3.9. We have a new page and you can see now this 2.3.9 is no more vulnerable and we can see the notification of data identification, which is our non security analysis. There won't be any security issues as of now. Now, we can also generate the dependency analytics report by right clicking here and you can also click on this button as well. Let's go how the dependency analytics report will look like it will have detailed analysis of the vulnerability. So for the dependency analytics report, we have four cars. First card will have a security issues, which will have the detailed analysis of the each vulnerabilities and it's also provide the vulnerabilities with the transitive dependencies and second card is has a dependency details. It's gives all the dependency details with the heat up statistics and vulnerability details, license details and all and the other and the other tab is licenses step, which will show that which are the license, which is the, which are the, which are the suggested license for your application steps. So here you can see there are some unknown packages, which can use the license with the database like and the other one is the add-on step, which we source the add-ons information about the packages, which you can use with your application steps. So you can see like NumPy, you can use it with this current application step. And now let's see how the detailed vulnerability information will look like. So for security card, we have a two caps over here, one will have a commonly known vulnerabilities and one will have a vulnerabilities in it. Let's see how it looks like. So we can see your IAML package with the current version 5.2 is vulnerable. And the severity of the vulnerability is high. We can also see the link to the vulnerability and the recommendation version is 5.3.1. Then we can also see for the transitive vulnerabilities. So for the code code, you can see that I move vulnerabilities. And there are also transitive packages, which is, which is a URL link. URL link is a transitive packages, which is being used inside the, as a code code. It is also has a vulnerability, which says it has a high one high severity. To see the more information with the known exploit, publicly known exploit and the security advisories you need to this link, you can see markdown as one security advisory, which is unique to this link, which is not publicly available as of now. Yeah, you can go to the sign up to this link and they can generate the you can create a new account for this link. As of now, we can, this is the sign up page from this link. You can sign up here. You can see I have signed up for this link. And also that the landing page from this link. It shows the application token. Basically, we can copy this token from that and enter in our dependency analytics plugin. Enter this link token in our dependency analytics plugin. Let's put the button. You can see as of now we are unregistered. And yeah, as soon as our token is ready, we convert it to the register one. After registering, we will be able to see the able to see the exploit also. So this vulnerability has not defined any exploit as of now. We can go forward. We can see the vulnerability with the code code, which has a part of proof of concept, which is publicly known. And also in the transitive, you can see the URL link with the version 1.2 point 24.1, which has a part of high with this particular vulnerability. So I will to see the security advisories associated with this link, which also says that this is a proof of concept, which is known as flight. By clicking on this link, we can also go to this new website to get the more information about the vulnerability. Here is the detail information on this new website, but the packages which are vulnerable with this new security advisories. That's all pretty much from now. Yeah, we can also reload this component analysis message, which will also show the exploit information. So yeah, now we can see here, it has the one exploit on now with this flow details, you will only see after registering this link. That's it pretty much from my side. Let's go back to the slide. And the next idea. So in the, this user management with this link, which is just going to be released in the next week, is the version 0.2 point 0. And in the near term, we are also going to support the golden ecosystem. And we are also going to work on the user metrics with the telemetry data, which will help our users with the better experience and also for us to improve for the better experience of the user. In the midterm, we are also going to integrate this RDA platform with the OpenShift console with the other ID extension. We are also going to support our stack report with the headbrain ID extensions. A long time we are also planning to put other programming languages like HP, and we are also going to support our RDA platform with the same, with the same features from the CRD platforms also. Go to the next slide. Yeah, so how you can get the CRDA plugin, you can get the CRDA plugin from the ESCore extension marketplace, as well as you saw earlier in the Eclipse view. We are also supporting the component analysis in the JetBrains ecosystem, in the JetBrains marketplace. Here is the link for the CRD integration with the Sneak Intelliability database. Yeah, that's it from my side. Thank you.