Pluralscan is a source code analysis software, that's combine the best features of open sources security tools into a single solution.
- Software Composition Analysis aka SCA
- Static Application Security Testing aka SAST
- Dynamic Application Security Testing aka DAST
- Code Quality Analysis with Linter's
- Active security testing with Fuzzing Tools
- Prevents unwanted law complication by checking open source license compliance
- Benchmark results provided by different tools
- ...
Pluralscan should be currently considered as a POC/POW project that try to demonstrate how to realize a complexe business oriented software in Python by following Domain Driven Design concepts.
- Fetch open-source projects from various locations (Git, Github, Gitlab, Disk...).
- Fetch software packages built with various packaging systems (pip, poetry, npm, pip, cargo, go...)
- Plan code analysis batch on a package with various analyzers (Roslyn, Sonar, Security Code Scan...).
- Centralize and persist analysis reports into a generic business model representation.
- Monitor and provide assistance to reduce technical debt.
Ongoing work, so many changes should be expected.
Setup a complete stack with MongoDB, Redis and Pluralscan. (Known issue with analyzer execution, fix comming soon)
docker-compose up
Remove containers.
docker-compose down
- Navigate to http://localhost:8001
- Accept RedisInsight license.
- Login with the password defined inside
.docker.env
- Navigate to http://localhost:
- Navigate to http://localhost:8983
- Python 3.10 as language and runtime environment.
- asyncio to declare coroutines and execute concurrent code
- poetry for packaging and dependency management.
- pytest framework for testing.
- pytest-cov
- mypy for static type checking.
- Use pathlib for handling cross-platform file path.
- Python 3.10* as language and runtime environment.
- FastApi is used as web framework used for API and serving SPA.
- asyncio is used to declare coroutines and execute concurrent code.
- esdbclient as gRPC client for EventStoreDB.
- Celery
- python-kafka
- grpcio
- grpcio-tools
- pymongo
- sse-starlette for performs Server Sent Event.
- uvicorn
- pydantic
- NodeJS 16.13.0 as runtime environment.
- Typescript as main language.
- Svelte 3 as front-end framework.
- Carbon Design System for Svelte as design framework.
- jest as testing framework.
- ts-jest for writing tests in Typescript.
- svelte-jester for precompile svelte components before importing them in to tests.
- tailwindcss as utility css framework.
- PouchDB used to sync data from CouchDB Server on client device for offline usage.
- Python 3.10* as language and runtime environment
- asyncio to declare coroutines and execute concurrent code
- InMemory - only for tests purpose
- MongoDB
- Redis
- ElasticSearch
- Apache CouchDB used to persist data that's can be sync on client for offline usage.
- EventStoreDB
- Neo4j
- Apache Solr
- debezium
- KICS - Keeping Infrastructure as Code Secure [Cloud]
- Security Code Scan [C# | VB#]
- OWASP Dependency Check
- Staticcheck [Go]
- pylint [Python]
- cpplint [C | C++]
- Roslynator [C# | VB#]
- SQLFluff [SQL]
- Checkstyle [Java]
- ESLint [Javascript | Typescript]
- prettier [Javascript | Typescript]
- ktlint [Kotlin]
- php [PHP]
- rubucop [Ruby]
- clippy [Rust]
- SwiftLint [Swift]
TODO.
cd pluralscan-api-client
npm install
npm run build
cd pluralscan-svelte
npm install
cd pluralscan-svelte
npm run dev
cd pluralscan-svelte
npm run build
The build process will output directly into the API project.
To verifiy if the project is error free, you can use the CLI tool svelte-check. It acts like an editor asking for errors against all of .svelte files.
npx svelte-check
From VS Code Debug View, run the "Debug FastApi" profile for start a dev web service with debuging.
https://coverage.readthedocs.io/
Code coverage analysis with HTML report
py -m coverage html --skip-empty
cd htmlcov
- Domain-Driven Design: Tackling Complexity in the Heart of Software by Eric Evans
- Implementing Domain-Driven Design by Vaughn Vernon
- Patterns, Principles, and Practices of Domain-Driven Design by Scott Millett
- Clean Architecture: A Craftsman's Guide to Software Structure and Design by Robert C. Martin aka "Uncle Bob"
- Living Documentation: Continuous Knowledge Sharing By Design by Cyrille Martraire