 Hello, I'm Sam, give me a minute. I'm a principal software engineer with the developer engineering group of Red Hat. And I develop and design microservices applications and throughout my life I've been a developer. So, yeah, good to be here. And I'm really glad that you turned up for the presentation. So, even if we start with our presentation on our development platform, that provides you AI-based application insights. A quick show of hands, how many of you choose dependencies for your applications? If you can. Okay, I think we need to refresh. So, let's start with what are dependencies? Differences are known in different ecosystems as modules, packages, or libraries. They are reusable code that developers include for their applications. So, it is the libraries or these dependencies that build an application. From these dependencies, developers use functionalities and build their own applications. So, they don't write already existing code. But the problem here is that those code are written or those libraries are developed by someone else who you don't know, who, I don't know, credibility is the right word. But we don't know what we're including. And there is no tool. It's only based on experience and sometimes based on guidance from someone who you know. You include dependencies and you start building your applications. So, that's how we do it at this moment. And in our team, when we looked at this area and this domain, we found that this is a big void that we can fill or we can fill in. So, how we started is that we try to figure out what makes a good dependency. Okay, even for that, developers can't choose at this moment. This is, again, worsened by the fact that you have these many new packages on new package versions everywhere. You see this exponential growth. That's the NPM. Every day, I think, Jay, it's like 1,000 packages per day. And you have those many choices per day to choose from. So, that's insane. And we thought of filling in that void. And when we started with this problem, we figured out that there can be three basic parameters based on which we can decide whether or not we can include dependencies. First one is security vulnerability. If we need to check, basically, if this dependency is vulnerable or what, that can be a very good criteria to choose a dependency or not to choose a dependency. Number two can be license. License is tricky. For developers, it does not mean a thing at times. But if your dependencies that you are including have conflicting licenses, say, for example, there can be licenses which are permissive like MIT, Apache, or there can be licenses that are more restrictive that do not allow your software to, like GPL, it has its own restrictions. So normally what happens when you go and start publishing your application, there is a conflict. You can't come up with one license for your own application because you have conflicting license for your dependencies. Then comes the third part, which is popularity and maintainability. Everyone likes to include libraries or include dependencies which are well maintained. So that's a very good criteria. We thought. Fort one, Jay. Thanks, Sam. So basically, whatever we have seen now are more like, what are the risks involved when you are selecting a dependency for your business pack? Because, again, these are four written by someone else, but we are testing it more than yours. But more importantly, there's one more piece, the completeness of a business pack. Whenever you choose to go with a dependency, the first thing you look for is, is it doing what it's supposed to do? That's like, what's the value going to add to your business pack? That is one of the policies which is to take care of it. So as Sam said, we want this space to need some help. And what we are doing as an analytics platform is like enabling developers to choose from wide range of open source dependencies or components out there so that they can build software with great confidence and then reduce the associated risk and improve the productivity level. So developers should move to that demo so that we can demonstrate the capability of this platform and how easily it can help you to access or validate your dependencies. One way is you can go through the future dependencies in your business pack and try to look into different process and see, okay, it is doing all of those parameters, what this works about. It doesn't have any security issues. It doesn't put the licenses. And it is doing what it's intended to do. So for this demonstration purpose, we are using VS Code. So VS Code, all of us, you know, I think one of the ideas these days, I think many of us will be using over here. And it's a home for developers. How many of us are using VS Code here? Sorry. Okay, good. During the course of this demonstration, I think you can go along with us and try to do what we are doing. And we assume that you will get a report of your application towards the end of the presentation. I highly recommend you doing that. Let's see. So, again, VS Code is one of our integrations. So I have to keep going ahead. So we are already into marketplace now. You can go to VS Code marketplace and just search for dependencies. Obviously, it will show up over there. So the whole purpose of this exercise is to help you guys to understand that the great ease we are able to provide all the solutions to the developers without much effort. So once you will see, since it's part of the new, it's going to be a day-to-day meeting where we talk about all the features we support, what are the ecosystems we are supporting as a home. So currently, we are supporting Maven and NPM as the ecosystem. And obviously, if you are using Maven, you need to have Maven and NPM in your system path. And if you guys don't have VS Code, it will be easy to install that as well. You can take a look. No, we are not recommending you doing that. Just in case. I'd like to try this out. This is a very good option to test your application through our platform. So to install, it's pretty simple. Just click on install. And you are in the VS Code. And it will ask you to go to install. And just follow the steps. It's reload. It's pretty simple to set it up. And we are all good. So if you can install the extension, it will show up in the extension place as well. You can take a look. I think we are all good with the setup. Now you can open any of your projects of your choice on NPM or Maven. And you can try along with us. So currently, I have opened one of the projects over here. Just to demonstrate. So if you see over here, we are having some of the dependencies and some of the dependencies listed over here. So totally, we have five dependencies. Again, we want to perform this exercise to validate how good these dependencies are for the application. So as you can see, the moment package.json is opened. And package.json is nothing but a manifest file where all the dependency information resides for node ecosystem. So if you can see over here, there are some red markers, blue flat for bootstrap and moment. So this is trying to show that these dependencies are having security issues associated along with the CV IDs. And in the... We also provide the notification like a scan of five runtime dependencies, flag two potential security, along with the quick fixes. So you would have noticed, right? I mean, apart from setting up the extension, nothing much we did, and we are getting all this information without any action associated, just by opening the manifest file. So it happens as and when you type it. Yeah, so I especially like this part because here is where you open your manifest file. As a developer, you're adding your dependency and you get the information about any vulnerability right there. So it's a very important information for a developer, whether or not he or she is including something that should not be included. Yeah, and these informations are shown in problems as well. So now let me quickly briefly about all the dependencies we are using and what it does. So if you would have seen ANSI styles, it is used to style strings basically. Then we have escape string widgets which tries to escape special characters. Then we have support colors which tries to update user about is this particular terminal supports colors or not. Then we have bootstrap which is popularly widely used for stylings and UI based components. And we have moment as well. So moment helps us to pass, validate, manipulate and display dates in desired format. So this was about the security issue. Now let us quickly try to run the analysis on our whole application and see what are the other informations or values we are getting from this particular station and how it makes life of a developer easier. So you can just trigger it and in the photo you can see we are trying to resolve the dependencies and we will be taking some actions based on that. So usually what happens? We get to know about these problems in the development life cycles. Probably, I mean we filed the PR, it got merged in the master, then we realized the licenses didn't go well or this particular dependency has a security issue which may be introduced later, not at that content time. But we are providing all this flexibility and feature much before when developer is coding the life cycle basically. So that is the easiest place to take any action associated. So if you can see over here we have a detail stack report being displayed which provide information about many aspects, what all Sam covered earlier, like talking about security, talking about licenses be it insights or dependency details. So in the first card we are talking about security issues. Currently you can see we have two dependencies which have security and we saw this in package.design as well. So what extra we are offering here? We are trying to update you along with the CVIDs associated and the score. The score is nothing but based on one to ten we rate how critical the issue is. So no matter which color it is showed up, I think we should be taking action associated. So these are all reported security vulnerabilities. They have a number associated and they have a score associated. Score determines the severity. How severe that vulnerability is. That's very this is quite intuitive to understand the severity of the vulnerability that you are adding. If you notice over here we are not just telling that moment 2.0.0 had the security issue. They are also providing with the recommended version which will be free of any CV. And we have other information as in like current version GitHub stats. All these are like popularity matrices from the GitHub which can help you to take an informed decision about what are the number of contributors that you have. So in the next we are talking about licenses. So if you can see based on the dependencies I have used in this particular stack, we are able to suggest MIT as a license. So we are good in this particular scenario but there won't be case always. Sometimes we will have dependency which don't go along with each other. In that case we will be showing you the licenses which are conflicting along with the dependencies where they are conflicting. So your stack doesn't have any conflicting license like restricted permissive. So next we will be talking about insights. So this is more about completeness of application stack. So based on the dependencies whatever being used over here we will try to provide you AI based insights on those dependencies and we can see I mean how good or bad those insights are. So initially I told that we have ANSI colors as one of our dependency which is used for styling strengths. So if you can see for each of the dependencies we have a confidence score associated. Like in case of CHOP it goes pretty high, 85%. So this particular level a detail show how well we understand your application and based on our training we have different types of applications that are available upstream. We try to understand and we try to suggest some dependencies for you which can go along with your own set of dependencies. So yeah and this confidence gives this is the confidence of the system that this must go or this should go with your dependency because we have seen it in other cases. Yeah as you can see here we are giving insights for CHOP along with the version like 2.4.2 and CHOP is again used for providing colors to strengths and all of those things. It does much more than what ANSI colors does usually. And we provide other matrices along with that as well so that you can take our decision based on all this information. And again when we say we support like Node and Maven by no means we are not I mean you don't like it. So there is always an option to provide a feedback. We have a thumbs up and thumbs down option. It is a continuous learning for our EM model so any feedback that you provide it will be used for retraining the model and giving better recommendations next time. Yeah if you can see for other dependencies the confidence score is not that great. So as Sam said this feedback helps us to learn and evolve. Let's quickly move to the last section that is dependency details. So in this we are trying to analyze all the dependencies in the application. So currently if you notice there are five dependencies and in the section we are showing that total dependencies were five and total dependencies analyzed were five again. So it is like we are able to analyze all the dependencies whatever it was in the application stack. But that may not be the case always because as earlier it was shown that total dependencies being added in any ecosystem is like huge. In case of NPM it goes like 800 to 1000 downloads plus updates in a day. So there would be a chances that our platform may not be aware of some dependencies but we have a pipeline in place whenever we encounter any unknown dependency we try to ingest it so that next time if you try to analyze those things it will be taken into consideration. And this is the popularity and maintainability card where you get to know a lot of things about these dependencies. We have information about the StarGazers count and also yeah you can see here the dependent reports means how many people are using this and StarGazers what are the how many contributors are contributing to this so it gives you enough information about what you are using. Yeah so that was about the report and all the information we got. It's too much to digest but it's not just to see. I mean we need to take some actions associated over here. Like I start with the first one. In case of security issue we saw two dependencies and we are suggested with the version which will be CV free. So quickly let me go back and make the changes into the packet or json. So we'll update moment and bootstrap both to 4.2.1 and 2.22.2. So these were the versions provided in recommendation. So if you would have noticed all the red markers has gone. So this dependency doesn't have any security issue associated. Now if you try to run a stack analysis again on this particular stack you would notice that the number of securities are like zero and nothing changed in any of those cards. So this tells that your application depends that it's vulnerability free at this moment. So the same applies to the insights as well. You can try adding chalk in your application stack and read the analysis and see what's changing in the insights. And at the end I would like to say that we have launched this extension like three months back. And this is the first time we are talking about retaining of the conferences and the number of installs and downloads. As you can see it's 5,000 unique installs we have got so far. So we'll request you guys to give it a try, provide the feedback and these are the current use cases basically. Whatever we just saw in the stack report. Yeah, so I don't think we have to repeat all these things because we have already seen how security vulnerabilities are shown and we showed recommended fixes and about popularity maintenance then we showed licenses and then we also gave insights about the dependencies that you can add that can be added to your application set. Yeah, so just to add one point over here, currently you get this information into various sources but there is no single place where you get all this information at once. So this is the unique report at this moment that we have in the market that gives us this entire landscape of your application and we believe this is going to be really helpful for developers going forward and let's now talk about the platform, how we are seeing it going forward. So I see Python developers or Go developers perhaps here who might be feeling left alone so we're adding the support for Python and Go very soon and then comes the transit dependencies that's entirely different area where you don't know what you're adding there you know about your direct dependencies but you don't know what other dependencies and we are trying to figure out the CV associated with transit dependencies. We are going to show the mapping between your direct dependency and a transit dependency that might be lying five layers down which might have a CV and which can affect your application so we are planning to do that and then we are also looking we are looking for going exploring this container application scanning in the market at this moment we have tools that can scan your operating system so we are looking for vulnerable vulnerabilities but not at the application level so we will be exploring that part and then we have a very interesting use case when we try to figure out any potential security vulnerability in the code. We are not at this moment we are actually relying on the reported vulnerabilities here we are planning to figure out or we are going to show you the true RAI models and the fifth one is the OCP OpenShift container platform the service upgrades of those we are predicting any service failures that can happen so many of these things are experimental but this is a roadmap that we have and so we are available on github we are open source we are fabricate analytics this is the org and we have a public channel contact us at this chat.openshift.io that's where you can go and you can find us in the public channel fabricate analytics I think and thank you very much again for attending and we are open for questions and answers yeah thank you folks thank you