AL icon indicating copy to clipboard operation
AL copied to clipboard

Published 20 hours ago verified publisher icon microsoft

VSC doesn't protect add-on IP

Open jpagessummar opened this issue 6 years ago • 7 comments

Describe the bug We've been able to see that in an on-premise installation with add-ons, after symbols have been generated, you can access to add-ons source code from VSC throught Microsoft_Application_13.0.25924.0.app. Tested with customer license without developer permissions.

To Reproduce

  1. From an installation with add-ons, generate symbols.
  2. Run VSC and point to the appropiate server.
  3. Download symbols.
  4. Develop some code that calls to a function into add-on.
  5. Right-click on function name and click in Go to definition.
  6. The source code of the add-on will appear.

Expected behavior We expect that our source code is not visible to third.

Screenshots image image image

Versions:

  • AL Langauge: 2.1.79379
  • Business Central: 13.0.25924.0.

jpagessummar avatar Jan 25 '19 12:01 jpagessummar

Have you modified the base app for teh add-on? Or have you created an extension for the add-on? If you have created an extension have you set ShowMyCode to false?

kalberes avatar Jan 26 '19 14:01 kalberes

We have created thousands of new objects on the base app in the add-on range. The base app doesn't have any object modified. In fact, we have duplicated some base objects, like Users or Report Selection, to add some functionality. And no, we have not created an extension yet. Thanks!

jpagessummar avatar Jan 26 '19 14:01 jpagessummar

Hi Would you so kind to tell us something about this? Thanks!

jpagessummar avatar Apr 05 '19 09:04 jpagessummar

This is by design. Anything in Microsoft_Application.app is opened. How different is your onprem scenario from working and debugging with C/SIDE? For IP protection you can use run-time packages for extensions, or extensions with showmycode false. https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-creating-runtime-packages https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection

kalberes avatar Apr 09 '19 16:04 kalberes

Thanks Kálmán for your response. With the debugger I can view the code that is executing but I cannot download all the objects in the add-on. From C/SIDE I cannot view nor modify the objects in the add-on without partner license. Can you so kind to tell us if we can create an extension for on-premise installations of our add-on wich have thousands of objects? If not, IMHO when symbols are generated, the server should check the customer license permissions and not include restricted objects in Microsoft_Application.app Thanks

jpagessummar avatar Apr 10 '19 11:04 jpagessummar

IMO you should be able to create an extension with thousands of objects. We do that with teh base app (6000 objects) starting from the Spring release. The first publishing is a pain, but with the RAD feature publishing/debugging is 40 seconds of the base app. Go to definition for baseapp objects is not using the symbol file, but does what the debugger is doing. It connects to the the NST defined in your launch.config and it simply gets the AL source for an application object. If you can open an extension in VsCode and you can debug it then accessing the base app(Application symbol) is for free.
You should be able to decouple your IP in an app and set show my code false. I agree, it is probably easier to say it then do it. I will take your note as an enhancement.

kalberes avatar Apr 11 '19 14:04 kalberes

We'll try it, or even better, we'll do it :-) Firstly we must to convert our C/AL to AL, although it is a work we should do anyway. Thanks!

jpagessummar avatar Apr 11 '19 15:04 jpagessummar

Hi, I'm closing the issue. If you think the issue still applies to, then please either open a new issue if it is a bug in the developer tools, or go to our Ideas forum at https://aka.ms/BusinessCentralideas for features.

thpeder avatar Nov 30 '23 11:11 thpeder