Code Monkey home page Code Monkey logo

snyk-net-code-review-exercise's Introduction

.NET npm dependency server

A web server that provides a basic HTTP api for querying the dependency tree of an npm package.

Prerequisites

Getting Started

To install dependencies and start the server in development mode:

cd Snyk.Exercise.WebApi
dotnet watch run

The server will now be running on an available port (defaulting to 5001 for HTTPS, 5000 for HTTP) and will restart on changes to the src files.

Then we can try the /package endpoint. Here is an example that uses curl and jq, but feel free to use any client.

curl -s https://localhost:5001/package/react/16.13.0 | jq .

Most of the code is boilerplate; the logic for the /package endpoint can be found in Controllers/PackageController.cs, and some basic tests in PackageControllerTest.cs

You can run the tests with:

dotnet test

# Or in watch mode
cd Snyk.Exercise.WebApi.Test
dotnet watch test

snyk-net-code-review-exercise's People

Contributors

bastiandoetsch avatar michelkaporin avatar

Watchers

avatar avatar

Forkers

isabella232 aswinr888

snyk-net-code-review-exercise's Issues

Support returning the full dependency tree for packages

The problem

Extend our existing dependencies web service to provide a full list of all transitive dependencies for a given package.

Background

Developers working with NodeJS use packages in their code. A package is a functional NodeJS module that includes versioning, documentation, dependencies (in the form of other packages), and more. NodeJS has a managed packages environment called npm, which regularly gets updated with new packages and new versions of existing packages.

Snyk scans NodeJS packages to identify and assist developers in remediating vulnerabilities prior to merging their code back with its project.

In order for Snyk to identify these vulnerabilities in certain packages, this is what happens:

  1. The user provides the name of the package for analysis.
  2. We fetch the overall set of dependencies from the relevant package manager, for the given package.
  3. We compare the set of dependencies that we retrieve with our database of vulnerable packages in order to identify whether any of the dependencies are vulnerable.
  4. For any package that we identify as vulnerable, we then list all available remediation paths (upgrades and/or patches for vulnerable packages) for the user.
  5. The user chooses their preferred remediation actions from the list, and we apply them by creating a PR for the relevant repository.

Details

The existing dependencies service focuses on 1 & 2, for a package that is already published on npmjs.com but currently only returns the top level of immediate dependencies.

The web-server should return the full package dependency tree based on a given package name (user input), which we could then later use for stage 3 above.

Considerations

  • There are currently over 1M packages on npmjs.com, and the number is growing all the time.
  • The packages update from time to time, just as their dependencies do too.
  • There are many different packages, with different edge cases. Some packages to look out for are:
    • express
    • npm
    • trucolor
    • @snyk/snyk-docker-plugin
  • A user may provide invalid input (e.g. a non-existing package), causing the web-server to crash if there is no error handling in place.

Design and Implementation Details

  1. Extend the working web-server that, given an HTTP request containing the name of a published npm package and version, returns the entire set of dependencies for the package.
  2. Present the dependencies in a tree view (e.g. JSON).
  3. Account for asynchronous fetching of dependencies as you see fit.
  4. Consider caching relevant data so that repeated requests resolve with minimum latency.
  5. Code should be reasonably easy to read and understand.
  6. Ensure there are tests of any kind (integration, unit etc.) that cover core functionality.
  7. Consider how to handle errors.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.