License: Other
AppSec Kit offers seamless security integration into the development of your Vaadin-based applications. It provides comprehensive dependency visibility, earlier remediation of vulnerabilities, and fewer false positives. It lets you visualize details on found vulnerabilities and store your analysis to share with other developers.
Getting started tutorial is available for Vaadin 24.
To properly support V24 the SBOM must include not only Maven dependencies but also NPM dependencies coming from web components.
CycloneDX is currently used to generate the SBOM from the Maven POM using their own Maven plugin, and the suite also provides an NPM plugin. It would be convenient to have all the dependencies in a single SBOM file, and it would be even better if the CycloneDX Maven plugin could be able to scan NPM dependencies. Some research needs to be done:
A V24 demo project should be added to the repositories so it can be used a prototype while testing the above options.
If I'm following the instructions and running the application through my IDE, my application does not start:
org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182)
at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:357)
at java.base/java.lang.Iterable.forEach(Iterable.java:75)
at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:156)
at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:124)
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:958)
at org.springframework.context.support.AbstractApplicationContext.__refresh(AbstractApplicationContext.java:611)
at org.springframework.context.support.AbstractApplicationContext.jrLockAndRefresh(AbstractApplicationContext.java:41002)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:42008)
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:737)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:315)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1309)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1298)
at -----.Application.main(Application.java:37)
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:229)
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44)
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:179)
... 15 common frames omitted
Caused by: org.springframework.boot.web.server.WebServerException: Servlet [springServlet] in web application [] threw load() exception
at org.springframework.boot.web.embedded.tomcat.TomcatEmbeddedContext.load(TomcatEmbeddedContext.java:89)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:276)
at java.base/java.util.TreeMap$ValueSpliterator.forEachRemaining(TreeMap.java:3250)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
at org.springframework.boot.web.embedded.tomcat.TomcatEmbeddedContext.lambda$deferredLoadOnStartup$0(TomcatEmbeddedContext.java:67)
at org.springframework.boot.web.embedded.tomcat.TomcatEmbeddedContext.doWithThreadContextClassLoader(TomcatEmbeddedContext.java:108)
at org.springframework.boot.web.embedded.tomcat.TomcatEmbeddedContext.deferredLoadOnStartup(TomcatEmbeddedContext.java:66)
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.performDeferredLoadOnStartup(TomcatWebServer.java:305)
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:216)
... 17 common frames omitted
Caused by: jakarta.servlet.ServletException: Servlet.init() for servlet [springServlet] threw exception
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:960)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:808)
at org.springframework.boot.web.embedded.tomcat.TomcatEmbeddedContext.load(TomcatEmbeddedContext.java:84)
... 33 common frames omitted
Caused by: com.vaadin.appsec.backend.AppSecException: Maven SBOM file not found on path /resources/bom.json
at com.vaadin.appsec.backend.AppSecConfiguration.getBomFilePath(AppSecConfiguration.java:124)
at com.vaadin.appsec.backend.AppSecService.init(AppSecService.java:114)
at com.vaadin.appsec.service.AppSecServiceInitListener.serviceInit(AppSecServiceInitListener.java:37)
at com.vaadin.flow.server.VaadinService.lambda$init$0(VaadinService.java:230)
at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1939)
at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
at com.vaadin.flow.server.VaadinService.lambda$init$1(VaadinService.java:230)
at com.vaadin.flow.server.VaadinService.runWithServiceContext(VaadinService.java:2305)
at com.vaadin.flow.server.VaadinService.init(VaadinService.java:228)
at com.vaadin.flow.spring.SpringVaadinServletService.init(SpringVaadinServletService.java:102)
at com.vaadin.flow.spring.SpringServlet.createServletService(SpringServlet.java:115)
at com.vaadin.flow.server.VaadinServlet.createServletService(VaadinServlet.java:336)
at com.vaadin.flow.server.VaadinServlet.init(VaadinServlet.java:132)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:944)
... 35 common frames omitted
Process finished with exit code 1
I have to run the maven command to run the plugins (for example mvn package).
I'm expecting that my application is running and the AppSec will tell me that I need to generate the files.
At least OpenSourceVulnerabilityClient opens HTTP connections, but no timeout value has been set. Looks like the default timeout is infinite (value is 0). This silently blocks AppSec Kit from functioning when you have no internet connection, or the target is blocked by a firewall.
We need to set a timeout and provide a reasonable error message for the developer..
In #3 the CycloneDX Maven plugin has been identified as a proper tool to generate the SBOM from the application transitive dependency, which is currently used in the demo project.
This approach requires the developer to use the third-party plugin in their own Maven project, or alternative to provide a compatible SBOM in the application resources.
It would be more convenient to include this process as a kit feature, either by:
In both scenarios the CycloneDX API should be used to generate a compatible SBOM.
Once #27 is merged, the new APIs to get/set AppSecData should be used in the V7/V8 modules to bind developer analysis field values to the actual data.
For each vulnerability the developer should be able to write a short analysis from the UI that should be stored on the file-system project directory so that it can be added to version control and shared with other developers.
For convenience of reading/writing, the file could be a JSON object e.g.
{
"vulnerabilities": {
"CVE-XX-YY-ZZ": {
"analysis": "lorem ipsum dolor sit amet",
"updated": "2023-06-07T11:15:00",
"falsePositive": true
}
}
}The API introduced with #51 allows us to notify the developer if they're using an unmaintained Vaadin version. We should do this by:
vaadin-server version from the SBOMAppSecService:: getSupportedFramework7Versions or AppSecService:: getSupportedFramework8VersionsThe kit should generate an SBOM (Software Bill Of Material) that provides a comprehensive view of all the direct and transitive dependencies used in an app. The SBOM is generated during development and updated as the app is developed and dependencies are added or updated.
There should be a way to configure the frequency with which SBOM is generated, trigger it manually, or turn it off completely.
The new frontend module extracted from the prototype branch in #17 needs integration tests for Vaadin 8.
The details view is showing a lot of data horizontally. I don't think it's required to make it usable for a phone but it should be usable on a normal laptop without the horizontal scrollbar.
Appsec-kit attaching additional scanners on every view refresh. Which in turns fills the console log with snan messages.
Expected: Scan runs only once per day or with "Scan now" functionality.
Actual: Scan runs after (almost) every navigation and/or view refresh. Additional scanners are connected and list after each scan becomes longer and longer.
Reproduce with this example:
https://github.com/vaadin/hackathon-24-2/tree/herberts-and-kriss
Example of console log:
023-10-13T14:42:41.094+03:00 INFO 31780 --- [io-60278-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms 2023-10-13T14:42:41.176+03:00 INFO 31780 --- [io-60278-exec-1] c.vaadin.flow.spring.SpringInstantiator : The number of beans implementing 'I18NProvider' is 0. Cannot use Spring beans for I18N, falling back to the default behavior 2023-10-13T14:42:41.363+03:00 INFO 31780 --- [io-60278-exec-3] c.v.appsec.service.AppSecDevToolsPlugin : Plugin connected 2023-10-13T14:42:46.588+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:42:46.700+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:42:58.146+03:00 INFO 31780 --- [io-60278-exec-1] c.v.appsec.service.AppSecDevToolsPlugin : Plugin connected 2023-10-13T14:43:04.677+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:43:04.742+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:43:04.742+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:43:04.805+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:43:06.494+03:00 INFO 31780 --- [io-60278-exec-3] c.v.appsec.service.AppSecDevToolsPlugin : Plugin connected 2023-10-13T14:43:57.077+03:00 INFO 31780 --- [io-60278-exec-8] c.v.appsec.service.AppSecDevToolsPlugin : Plugin connected 2023-10-13T14:44:11.508+03:00 INFO 31780 --- [io-60278-exec-6] c.v.appsec.service.AppSecDevToolsPlugin : Plugin connected 2023-10-13T14:44:17.965+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:44:18.027+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:44:18.027+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:44:18.092+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:44:18.092+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:44:18.156+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:44:18.156+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:44:18.219+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3 2023-10-13T14:44:18.219+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Scan completed 2023-10-13T14:44:18.284+03:00 INFO 31780 --- [pool-2-thread-1] c.v.appsec.service.AppSecDevToolsPlugin : Vulnerabilities sent to the client: 3
During getting the vulnerability analysis there is a call to the GitHub API to get the latest four releases for Vaadin 7 and 8 using this URL: https://api.github.com/repos/vaadin/framework/releases.
To achieve the same for the Vaadin Flow releases the https://api.github.com/repos/vaadin/flow/releases URL should be used to get the latest releases. This needs to be added and handled in the GitHubService.
The OSV API has an endpoint to submit batch queries and get known vulnerabilities for up to 1K dependencies at once. Leveraging this feature would let us create a list of vulnerabilities in a single request, and get details for each of them only when needed (e.g. when scrolling the list in a grid).
A demo application to show the kit capabilities for Hilla would be useful also to test features during development and let users try out the kit.
AppSecKit uses newer version of Jackson than Charts does. Application having both dependencies wont start unless there is exclusion made.
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-charts</artifactId>
<version>4.3.1</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
</exclusions>
</dependency>
The current prototype branch should be refactored into separated modules:
appsec-kit-backend for the shared backend APIappsec-kit-v8 for the Vaadin 8 UI componentsappsec-kit-demo-v8 for the Vaadin 8 demo[appsec-kit 1.0.1 - 1.0.4, vaadin recommended cyclonedx-maven-plugin settings]
First impact here
OpenSourceVulnerability.toString
OpenSourceVulnerability{schemaVersion='1.4.0', id='GHSA-gq5f-xv48-2365', modified=Wed Aug 23 20:04:05 CEST 2023, published=Tue Aug 22 23:30:26 CEST 2023, withdrawn=null, aliases=[CVE-2022-44729], severity=null, affected=[Affected{aPackage=Package{ecosystem='Maven', name='org.apache.xmlgraphics:batik-bridge'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=1.0}}, Event{additionalProperties={fixed=1.17}}]}]}, Affected{aPackage=Package{ecosystem='Maven', name='org.apache.xmlgraphics:batik-svgrasterizer'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=1.0}}, Event{additionalProperties={fixed=1.17}}]}]}, Affected{aPackage=Package{ecosystem='Maven', name='org.apache.xmlgraphics:batik-transcoder'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=1.0}}, Event{additionalProperties={fixed=1.17}}]}]}]}
Once the SBOM (Software Bill Of Materials) is available as app resource, we need to match it against a trusted database of known vulnerabilities in Java packages.
The kit should regularly scan the SBOM (Software Bill Of Material) and check its content against several vulnerability databases to identify known vulnerabilities in the dependencies (whether direct or transitive).
The results are displayed in the UI during development via Vaadin Flow Developer Tools and in the server logs.
While the Vaadin 8 module uses VaadinServiceInitListener to initialize the kit, the Vaadin 7 module doesn't have that interface available and it currently uses HttpSessionListener for the same purpose. This means that the kit is initialized, a scan is run and automatic scans are schedule for every session.
This is not optimal and we must consider a better approach, e.g. providing a custom VaadinService to hook up to initialization.
Proper documentation needs to be added to the V7 and V8 branches in https://github.com/vaadin/docs
It must include:
The new backend module extracted from the prototype branch in #17 needs unit tests.
We currently support two dependency ecosystems in the kit: Maven and NPM. These cover all the application dependencies, but not the environment the application runs in, e.g. Docker images. To add support for other ecosystems besides Maven and NPM, we need:
The AppSec Kit automatically generates the SBOM (currently based on Maven dependency tree). However, in some cases, it would be beneficial to allow AppSec users to manually add a dependency to the SBOM, and scan the vulnerability DBs for this dependency.
One use case for this feature would be a Vaadin 7 or 8 app with a custom addon based on a JS library. Currently, such a library will not be detected by the SBOM generator we are using. With this enhancement, the developer can manually add the JS library to the SBOM, and the AppSec Kit will alert them if a vulnerability is found in this library.
This repository should include a demo application running on Vaadin 7 to show the kit capabilities.
The application might include dependency that bring known vulnerabilities.
If a local appsec-data.json file is present with a last-scan timestamp less than the configured automatic scan period, no initial data on vulnerabilities is fetched and the list of vulnerabilities appears empty.
We can approach this in two ways:
The repository still does not have a README file, one should be added with basic description of the kit and links to the docs.
SEVERE:
java.lang.NullPointerException: Cannot invoke "java.util.List.stream()" because the return value of "com.vaadin.appsec.backend.model.osv.response.OpenSourceVulnerability.getSeverity()" is null
at com.vaadin.appsec.backend.AppSecDTOProvider.findScoreIfHigher(AppSecDTOProvider.java:159)
at com.vaadin.appsec.backend.AppSecDTOProvider.updateVulnerabilityStatistics(AppSecDTOProvider.java:133)
at com.vaadin.appsec.backend.AppSecDTOProvider.lambda$getDependencies$0(AppSecDTOProvider.java:58)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at com.vaadin.appsec.backend.AppSecDTOProvider.getDependencies(AppSecDTOProvider.java:61)
at com.vaadin.appsec.backend.AppSecDTOProvider.getVulnerabilities(AppSecDTOProvider.java:65)
at com.vaadin.appsec.backend.AppSecService.getVulnerabilities(AppSecService.java:245)
at com.vaadin.appsec.v8.ui.content.VulnerabilitiesTab.refresh(VulnerabilitiesTab.java:154)
at com.vaadin.appsec.v8.ui.content.MainView.lambda$buildLayout$ba8aefab$1(MainView.java:81)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at com.vaadin.event.ListenerMethod.receiveEvent(ListenerMethod.java:699)
at com.vaadin.event.EventRouter.fireEvent(EventRouter.java:392)
at com.vaadin.event.EventRouter.fireEvent(EventRouter.java:356)
at com.vaadin.server.AbstractClientConnector.fireEvent(AbstractClientConnector.java:1185)
at com.vaadin.ui.TabSheet.fireSelectedTabChange(TabSheet.java:912)
at com.vaadin.ui.TabSheet.addTab(TabSheet.java:387)
at com.vaadin.ui.TabSheet.addTab(TabSheet.java:342)
at com.vaadin.ui.TabSheet.addTab(TabSheet.java:318)
at com.vaadin.appsec.v8.ui.content.MainView.buildLayout(MainView.java:88)
at com.vaadin.appsec.v8.ui.content.MainView.<init>(MainView.java:49)
at com.vaadin.appsec.v8.ui.AppSecUI.buildLayout(AppSecUI.java:35)
at com.vaadin.appsec.v8.ui.AppSecUI.init(AppSecUI.java:44)
at com.vaadin.ui.UI.doInit(UI.java:792)
at com.vaadin.server.communication.UIInitHandler.getBrowserDetailsUI(UIInitHandler.java:228)
at com.vaadin.server.communication.UIInitHandler.synchronizedHandleRequest(UIInitHandler.java:86)
at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:33)
at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1658)
at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:457)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:226)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:500)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
at java.base/java.lang.Thread.run(Thread.java:833)
In the vulnerability details we show the affected dependency without the version number: we should show both the current (vulnerable) version and the version where the vulnerability has been fixed (if available).
This repository should include a demo application running on Vaadin 8 to show the kit capabilities.
The application might include dependency that bring known vulnerabilities.
If a project is running with Spring security, all the Vaadin views are secured by default.
So we can't access to the view.
Adding the annotation @AnonymousAllowed to the view will allow to use it.
The V24 module is still missing license-checking, we should add that similarly as in V7 and V8 modules i.e. with a service-init listener.
The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of the severity of a known vulnerability.
The National Vulnerability Database provides a Common Vulnerability Scoring System Calculator to calculate the score from a CVSS vector string.
Including this feature in AppSec Kit would simplify the developer to understand the risk of each vulnerability.
There are already existing project providing a Java implementation of the CVSS, e.g. https://github.com/stevespringett/cvss-calculator
We get a lot of data from external sources, such as the generated SBOM, the OSV database, Flow releases and Security Team analysis. We need to extend our current test coverage to ensure those value are handled safely, e.g. to avoid NPE or parsing errors.
Demo applications will help during development and for users to try out the kit. Since the kit is targeted first to Vaadin 7 and 8 applications, we should start with demos for both.
The UI needs to be notified when a new scan has completed and it needs to refresh the results. The AppSecService should provide an event API for the UI components to subscribe to and be notified of changes.
The API could follow the same conventions as components event-listeners, e.g.
appsecService.addVulnerabilityScanListener(event -> {
if (event.newVulnerabilities().size() > 0) {
grid.refresh(); // simplified example
}
});2023-10-04T14:17:20.830+02:00 INFO 85808 --- [nio-8080-exec-7] c.v.a.v24.service.AppSecDevToolsPlugin : Plugin connected
2023-10-04T14:17:23.068+02:00 ERROR 85808 --- [nio-8080-exec-9] c.v.flow.router.InternalServerError : There was an exception while trying to navigate to 'vaadin-appsec-kit'
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.vaadin.appsec.v24.views.AppSecView': Failed to instantiate [com.vaadin.appsec.v24.views.AppSecView]: Constructor threw exception
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:321) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:189) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1352) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1195) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:560) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:520) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:320) ~[spring-beans-6.0.12.jar:6.0.12]
at com.vaadin.flow.spring.SpringInstantiator.getOrCreate(SpringInstantiator.java:126) ~[vaadin-spring-24.2.0.beta2.jar:na]
at com.vaadin.flow.di.Instantiator.createRouteTarget(Instantiator.java:136) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.lambda$getRouteTarget$1(AbstractNavigationStateRenderer.java:132) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at java.base/java.util.Optional.orElseGet(Optional.java:364) ~[na:na]
at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.getRouteTarget(AbstractNavigationStateRenderer.java:131) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.sendBeforeEnterEventAndPopulateChain(AbstractNavigationStateRenderer.java:480) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.createChainIfEmptyAndExecuteBeforeEnterNavigation(AbstractNavigationStateRenderer.java:461) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.handle(AbstractNavigationStateRenderer.java:211) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.component.internal.JavaScriptNavigationStateRenderer.handle(JavaScriptNavigationStateRenderer.java:78) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.component.UI.handleNavigation(UI.java:1834) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.component.UI.renderViewForRoute(UI.java:1797) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.component.UI.connectClient(UI.java:1710) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.invokeMethod(PublishedServerEventHandlerRpcHandler.java:227) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.invokeMethod(PublishedServerEventHandlerRpcHandler.java:204) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.invokeMethod(PublishedServerEventHandlerRpcHandler.java:150) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.handleNode(PublishedServerEventHandlerRpcHandler.java:133) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.rpc.AbstractRpcInvocationHandler.handle(AbstractRpcInvocationHandler.java:74) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.ServerRpcHandler.handleInvocationData(ServerRpcHandler.java:459) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.ServerRpcHandler.lambda$handleInvocations$2(ServerRpcHandler.java:440) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[na:na]
at com.vaadin.flow.server.communication.ServerRpcHandler.handleInvocations(ServerRpcHandler.java:440) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:323) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:114) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.VaadinService.handleRequest(VaadinService.java:1522) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.server.VaadinServlet.service(VaadinServlet.java:398) ~[flow-server-24.2.0.beta2.jar:24.2.0.beta2]
at com.vaadin.flow.spring.SpringServlet.service(SpringServlet.java:106) ~[vaadin-spring-24.2.0.beta2.jar:na]
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.13.jar:6.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:642) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:408) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:313) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.springframework.web.servlet.mvc.ServletForwardingController.handleRequestInternal(ServletForwardingController.java:141) ~[spring-webmvc-6.0.12.jar:6.0.12]
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:178) ~[spring-webmvc-6.0.12.jar:6.0.12]
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:51) ~[spring-webmvc-6.0.12.jar:6.0.12]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081) ~[spring-webmvc-6.0.12.jar:6.0.12]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974) ~[spring-webmvc-6.0.12.jar:6.0.12]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011) ~[spring-webmvc-6.0.12.jar:6.0.12]
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:914) ~[spring-webmvc-6.0.12.jar:6.0.12]
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590) ~[tomcat-embed-core-10.1.13.jar:6.0]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.12.jar:6.0.12]
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.13.jar:6.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-embed-websocket-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.12.jar:6.0.12]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.12.jar:6.0.12]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.12.jar:6.0.12]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.12.jar:6.0.12]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.12.jar:6.0.12]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.12.jar:6.0.12]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1740) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.13.jar:10.1.13]
at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.vaadin.appsec.v24.views.AppSecView]: Constructor threw exception
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:224) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:110) ~[spring-beans-6.0.12.jar:6.0.12]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:318) ~[spring-beans-6.0.12.jar:6.0.12]
... 87 common frames omitted
Caused by: java.lang.NullPointerException: Cannot invoke "java.util.List.contains(Object)" because the return value of "com.vaadin.appsec.backend.model.osv.response.Affected.getVersions()" is null
at com.vaadin.appsec.backend.AppSecDTOProvider.getVulnerabilities(AppSecDTOProvider.java:125) ~[appsec-kit-backend-1.1.0.beta1.jar:na]
at com.vaadin.appsec.backend.AppSecService.getVulnerabilities(AppSecService.java:291) ~[appsec-kit-backend-1.1.0.beta1.jar:na]
at com.vaadin.appsec.v24.views.VulnerabilitiesTab.refresh(VulnerabilitiesTab.java:110) ~[appsec-kit-v24-1.1.0.beta1.jar:na]
at com.vaadin.appsec.v24.views.AppSecView.refresh(AppSecView.java:124) ~[appsec-kit-v24-1.1.0.beta1.jar:na]
at com.vaadin.appsec.v24.views.AppSecView.<init>(AppSecView.java:62) ~[appsec-kit-v24-1.1.0.beta1.jar:na]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:na]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:na]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[na:na]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[na:na]
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:198) ~[spring-beans-6.0.12.jar:6.0.12]
... 89 common frames omitted
A key feature of AppSec Kit is to provide an assessment for each vulnerability coming from a Vaadin dependency. The assessment should be available on its own repository maintained by the Vaadin Security Team.
The assessment is based on the assumption that vulnerabilities in transitive dependencies might not pose a real risk to the application by the way the Vaadin code uses that dependency.
Data is then provided as a dictionary with the Vaadin dependency names as keys and for each of them a dictionary of vulnerabilities in their transitive dependencies.
Each entry contains the details of the transitive dependency affected by the vulnerability and a dictionary of assessments, one for each Vaadin dependency version (or version range): this let to handle cases where the vulnerability was a true-positive in a previous versione and then a false-positive in a newer one.
The assessment should be provided as a JSON file with this proposed structure:
{
"dependencies": {
"com.vaadin:example": { // The Vaadin dependency that brings the vulnerability
"vulnerabilities": {
"CVE-123-XYZ": {
"dependency": { // The transitive dependency with the vulnerability
"name": "org.acme:foobar",
"affectedVersions": "[3.2.0,3.2.3)"
},
"assessments": { // Assessment for each Vaadin dependency version with the vulnerability
"[1.2.3,1.3.0)": { // Assessment for this version range of the Vaadin dependency
"status": "TRUE_POSITIVE",
"comment": "The risk is true"
},
"1.3.0": { // Assessment for this version of the Vaadin dependency
"status": "FALSE_POSITIVE",
"comment": "Vulnerability still there, but we fixed it in our API"
}
},
"fixedIn": "1.4.0", // Vaadin dependency version without the vulnerability
"updated": "2023-06-20 12:00:00" // Timestamp of the last update to this entry
}
}
}
},
"checksum": "XYZ" // Checksum to validate the content of the "dependencies" property
}Additional fields might be used if needed.
There are existing open-source tools that help generating an SBOM (Software Bill Of Materials), i.e. a comprehensive view of all the direct and transitive dependencies used in an app.
We need to identify a suitable candidate among these tool that fulfills our requirements:
In V7/8 the uses its own UIProvider to inject its views into an existing application. To support V24, we need to find other means since there's no UIProvider. Since the kit is accessible only in development mode, the devtool gizmo could be used to show some information, but the kit needs also proper views with multiple components (e.g. grids, fields, etc.).
To do so, @tarekoraby suggested to adopt the same approach the Theme Editor uses for its view builder: let's discuss how a similar approach can be used for AppSec Kit.
A background job is needed to check the SBOM (Software Bill Of Materials) for known vulnerabilities.
To match dependencies against vulnerabilities during runtime, the SBOM (Software Bill Of Materials) needs to be available as app resource.
Every time a scan is performed, the updated list of vulnerabilities can:
The UI should notify the developer of new vulnerabilities, as well as unhandled ones (i.e. without existing developer analysis).
Upon each successful scan, the kit should check the list of vulnerabilities and fire an event if there are some without an existing developer analysis.
Allow users to export the SBOM, vulnerability data, Vaadin analysis, and their own investigation results (e.g., to a CSV file).
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.