[Feature] Synk Compliant project

[binaryjam]

I tried adding this to Snyk, as a pcf library, and reliant on librararies the ability to have this automatically scanned for the latest vulnerabilities would be good, have you tried or considered this or are you doing it another way ?

Thanks.

[binaryjam]

Having looked more at the code this is all pre-bundled, and isnt possible, PCF scare the hell out of me, take any of the PCFs from PCF gallery and you will find they are months out of date and run them on an owaspi checker and all too many of them scream vulnerabilties.

From what I can tell from the bundle there seems to be only the fluentui dependancy, though I cant tell, so how do you check for vulnerabilkties, is there a source github repo to this I missed that could check ?

[scottdurow]

Hi @binaryjam - Thanks for starting a thread on this - it's definitely a topic that is not talked about enough. 👍 Yes - the Creator Kit code components source can be found at https://github.com/microsoft/powercat-code-components Dependabot PRs are reviewed and merged into new releases. You could also fork it and install your own version that you maintain separately if you wanted to.

Most of the Fluent UI library is deployed with the platform and re-used inside the code components - there are a few exceptions where a small number of components have been modified to support canvas apps - so you will see that in the bundled js - not the entire fluent library!

For organisations that enable PCF components in their environments - DLP and governing the installation of third-party solutions are important considerations. Especially for pcf-gallery solutions which are mostly more like samples than supported production-ready components. When you use PCF components inside model-driven apps, you don't need to enable PCF components - they can be installed and used by default - so governance becomes more important.

I would love to hear your thoughts.

[binaryjam]

Hi thanks for the response. When I spoke with the MS guy for PCF, his comments were similar to mine, fork the repo, scan it and maintain it if you need it.

But of course, its not practical to fork everything especially big things liek this and the point of a library is that you pick one that is generally well supported, It's good to see you regularly updating, using dependabot for applying patches.

I ran this code project through Snyk and it was 00000 issues across the board, I love seeing that. So I can tell straight away this is probably the best pcf library I've every come across and ripe for inclusion.

It still PCF and still requires enabling PCF components. I would love to see more information on projects as well managed as this, on the issues with PCF once enabled, as this project is a big drive to enable them, some broader discussion I believe is needed in the install docs for this, or at least that page that explains how to install them.

Details on what happens when you tick that box, who can install them, what are the rights needed, some guidance on governance and where to read up of OWASPI chjecking, dependabot, tools like snyk, because when it comes to PowerApps, not everyone came from a development environment, and certainly not many from the nightmare cascading node modules land of JS component development.

Could you consider, raising these topics in your docs, or perhaps if you have influence on the MS docs regarding this installation and its subordinate pages on enabling pcf ??