lunasec VS mantine

LunaTrace: https://lunatrace.lunasec.io/

Premise: Open Source[0] alternative to GitHub Dependabot and `npm audit` that focuses on helping you prioritize where to patching first (only 0.1% of CVEs are used in cyber attacks).

Short YouTube demo: https://www.youtube.com/watch?v=ugdSyR2L6sY

A newer video showing off the whole Static Analysis engine: https://www.youtube.com/watch?v=vPd4MSUJ98M

Price: $0 for Open Source repos. We're hoping to charge for private repos in the future, but we need to build out the billing features first lol. (We're at $0 in revenue currently.)

If you are filled with rage because of CVEs spamming you, come vent your frustrations on Discord: https://discord.gg/2EbHdAR5w7

We're looking for early customers that are interested in working with us. My email is on my profile. Cheers!

[0]: Source Code, https://github.com/lunasec-io/lunasec/

(Note: I'm the person that coined the term "Log4Shell")

You may be surprised when I tell you what the Apache Software foundations yearly budget is. You'd think for software that is used by practically every Fortune 500 company and most governments, it would be something reasonable. Maybe a few hundred million dollars a year to pay for a reasonable full-time staff, right?

It turns out... it's about $2 million a year. (Wikipedia[0])

This helps explain to me why the devs of Log4j directly uploaded the file "JNDIExploit.java" (the POC) to GitHub while they were patching. (Here is a full analysis and guide about how to prevent that[1].)

They're not security people. They're volunteers working on this in addition to their full-time job.

What kind of brave soul wants to trudge through and maintain log4j in their spare time for zero compensation? I appreciate the people that are capable of doing that, but I think they are rare!

This whole entire vulnerability was eye opening for everybody and I have actually spent the last year building tooling on GitHub to help fix the problems that Log4Shell exposed.

If you have 2 seconds to try that out or just Star the repo[2], it would be very helpful!

0: Log4j revenue https://en.wikipedia.org/wiki/The_Apache_Software_Foundation

1: "How to Discuss and Fix Vulnerabilities in Open Source" https://www.lunasec.io/docs/blog/how-to-mitigate-open-source...

2: GitHub project building better dependency patching tools https://github.com/lunasec-io/lunasec

If anybody is curious to replicate this type of analysis, we should connect because I've been working a project to build an engine for this type of analysis for about a year now. GitHub Repo

It is possible to set your registry in NPM via the "npmrc" file. That will let you hit the specified HTTP server whenever you run commands like "npm install".

I know this is also possible for Python because we did it at Uber. I don't remember the specific details anymore though.

In either case though, a lot of people have written proxies for this use case (I helped write one for NPM at Uber). Companies like Bytesafe and Artifactory also exist in this space.

We're working on something similar that's on GitHub here: https://github.com/lunasec-io/lunasec

Proxy support isn't built out yet but the data is all there already.

The current system is broken. I don't think I agree with everything in the post, but I'm excited to see movement in this space given that this is a space I spend a lot of time thinking about. (I'll expand on that below)

Even if I disagree with parts of this, this is still one of the most interesting things that I've read around OSS licensing in a minute! Having actual VC money behind this movement is awesome.

For context: I run an Open Source company that's YC + VC-backed. We use are using a hybrid of Apache and Business Source License (BSL, a "non-compete" license that converts to Apache in 2-3 years). Our license file[0] has context about my thought process around this, but I still am not totally happy with it. (BSL isn't an "OSI-Compatible", even if it does feel like the "best" license currently.)

To come to that conclusion, I've read both Heather Meeker's book, "Open (Source) for Business"[1], multiple times now and I've also blogged about this topic[2] before.

All of that is to say, it's complicated and there are some perverse incentives that can prevent you from always "doing the right thing".

Problem #1: You lose control. You may begin with Apache but, as OP states, you eventually end up with the incentive to "rug pull" by switching the license because of market forces/VC influence. (I'm the founder of my company and I would resist it, but eventually our investors might control the board and make that happen anyway by replacing me.)

Problem #2: The hardest part of building a company is getting traction. Just getting anybody to care about you takes a ton of effort and having a permissive license makes it way easier to get that early adoption. And, by the time you have adoption and you decide to go raise VC money, you now end up with Problem #1.

Problem #3: If you start with a copyleft license like GPL/AGPL, then you make Problem #2 harder. Many companies simply won't adopt your software if you're using that. (Linux is a notable exception here, but even companies using AGPL like MongoDB have switched away from copyleft.)

We are using BSL because it feels like the best compromise (it becomes Apache 2.0 eventually). I do still think a lot about switching to Apache though. I just really hate the idea of "rug pulling" and I'd rather be honest from the beginning with a license like BSL, even if it is more difficult to get that initial momentum.

Does anybody else have thoughts to share about this?

0: https://github.com/lunasec-io/lunasec/blob/master/LICENSE.md

1: Open (Source) for Business: A Practical Guide to Open Source Software Licensing - Third Edition https://a.co/8SLjVZI

2: https://www.lunasec.io/docs/blog/how-to-build-an-open-source...

Here is some code on GitHub that does call site checking using SemGrep: https://github.com/lunasec-io/lunasec/blob/master/lunatrace/...

(Note: I helped write that. We're building a similar service to the r2c one.)

You're right that patching is hard because of opaque package diffs. I've seen some tools coming out like Socket.dev which show a diff between versions. https://socket.dev/npm/package/react/versions

But, that said, this is still a hard problem to solve and it's happened before that malware[0][1] has been silently shipped because of how opaque packages are.

0: https://web.archive.org/web/20201221173112/https://github.co...

1: https://www.coindesk.com/markets/2018/11/27/fake-developer-s...

https://github.com/lunasec-io/lunasec/blob/master/lunatrace/...

It's more complicated now but if you look at the history of that "backend-cdk" folder then it's simpler a few months ago.

The important bit is the "ecs-patterns" library. That's the one that is magical and deals with setting up the load balancer, cluster, etc for you. And the way we shove the Docker images in I found to be quite straightforward. (And deploys are one line)

I saw this last night while trying to setup Flux on EKS. I wanted to share this and see what other tools people are using too.

Is it possible for Kubernetes to be startup-friendly? (We're using ECS right now via the normal CDK[0]).

0: https://github.com/lunasec-io/lunasec/blob/master/lunatrace/...

This is really cool to see because this is the #1 problem with current tools (as you said). I call it "alert fatigue" in my head because it's meaningless when you have 100+ vulns to fix but they're 99% unexploitable.

I have a bit of a bone to pick with this space: I've been working on this problem for a few months now (link to repo[0] and blog[1]).

My background is Application Security and, as is often the case with devs, rage fuels me in my desire to fix this space. Log4Shell helped too.

As another comment said, doing this in a language agnostic way is a big PITA and we haven't fully built it yet. We are using SemGrep to do very basic ststic analysis (see if vulnerable function is ever imported + called). But we're not doing fancy Inter-process taint analysis like CodeQL can.

(We have a big Merkle tree that represents the dependency tree and that's how we are able to make the CI/CD check take only a few seconds because we can pre-compute.)

Anyway, if you have a second to help, we have a GitHub App[1] that you can install to test this out + help us find bugs. It's best at NPM now but we have basic support for other languages (no dep te analysis yet).

There are so many edge cases with the ways that repos are setup so just have more scans coming in helps a ton. (Well, it breaks stuff, but we already determined that rage sustains me.)

Thank you. climbs off of soap box

0: https://github.com/lunasec-io/lunasec

1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...

2: https://github.com/marketplace/lunatrace-by-lunasec

Here’s another mentality shift for you. If you were thinking in a providers pattern, you need to snap out of it. You can no longer store your theme in a provider. No more RadixUI or MantineUI for you.

import { TextInput, Select } from '@mantine/core'; // Example usage ; ; Enter fullscreen mode Exit fullscreen mode Maps: React Simple Maps provides maps that are valuable for visualizing geospatial data. You can integrate interactive maps into your dashboard to represent data points geographically. import {ComposableMap, Geographies, Geography, Marker} from "react-simple-maps"; // Example usage {...} {... return ( ); })} Enter fullscreen mode Exit fullscreen mode By incorporating these core components, our template accelerates the development of admin dashboards. These components are designed to work seamlessly together, providing a cohesive user experience. You can effortlessly create complex data visualizations, interactive tables, intuitive forms, and interactive maps — essential elements that transform raw data into meaningful insights. Deploying the Template to a Live Environment Deploying our admin dashboard template to a live environment is a straightforward process. We recommend utilizing popular hosting platforms like Vercel, Netlify, or Firebase Hosting. These platforms offer seamless integration with Next.js and allow you to deploy with a few simple steps: Install Required Dependencies: Ensure you have the necessary dependencies specified in the package.json file. Build the Project: Generate a production build of your Next.js application using the command: npm run build. Select Hosting Platform: Choose your preferred hosting platform (e.g., Vercel). Connect Repository: Link your template’s GitHub repository to the hosting platform. Configure Deployment Settings: Configure deployment settings, such as branch selection and build commands. Deploy: Trigger the deployment process. The hosting platform will automatically build and deploy your admin dashboard template. Real-World Use Cases The versatility of our admin dashboard template knows no bounds. It caters to a myriad of real-world use cases, each tailored to specific industries and applications: E-Commerce Management: The template can be employed to manage product listings, order processing, and inventory tracking for online stores. Data Analytics: With its data visualization components, the template can serve as a dashboard for analyzing metrics, trends, and insights. Project Management: The template’s customizable components facilitate the creation of project management tools for tracking tasks, deadlines, and team collaboration. SaaS Applications: As the foundation of a Software as a Service (SaaS) application, the template streamlines user management, subscription tracking, and data presentation. Content Management: It can also function as a content management system dashboard, offering tools to manage articles, media, and user-generated content. Live Demo For a hands-on experience, explore the live demo of our admin dashboard template: Live demo — https://mantine-analytics-dashboard.netlify.app/ Witness the template’s adaptability, responsiveness, and functionality firsthand. Feel free to interact with its components, navigate through its sections, and envisage how it could seamlessly integrate into your projects. Contributing and Support I welcome all developers and enthusiasts to contribute to the growth of our open-source admin dashboard template. Contributing is a collaborative process that empowers us to collectively enhance the template’s capabilities and quality. To get started: Fork the Repository: Fork the template’s GitHub repository to your own GitHub account. Clone the Fork: Clone the forked repository to your local machine using Git. Create a Branch: Create a new branch for your contributions to keep the main codebase intact. Implement Changes: Make your desired changes, add new components, or refine existing features. Commit and Push: Commit your changes to the new branch and push them to your GitHub fork. Submit a Pull Request: Submit a pull request from your forked repository to the main template repository. Your changes will be reviewed and potentially merged. Conclusion In summary, our Mantine and Next.js admin dashboard template offers a range of benefits that empower developers, designers, and entrepreneurs to create exceptional admin interfaces: Efficiency and Speed: The template expedites development by providing a pre-built foundation of components and features, allowing you to focus on customization and innovation. Consistency and Aesthetics: Mantine’s design-first approach and Next.js’s performance optimizations ensure a consistent and visually appealing user experience. Flexibility and Customization: The template’s modularity and theming options facilitate easy customization to align with your project’s unique branding and requirements. Rich Functionality: The integration of core components such as charts, tables, forms, and maps equips you with tools to tackle diverse dashboard functionalities. Invitation to Explore and Utilize The Mantine and Next.js admin dashboard template isn’t just an end; it’s a beginning — a starting point for your creative journey. Whether you’re a seasoned developer seeking a rapid launch or an enthusiast keen on learning modern development practices, this template is your canvas. Additional Resources GitHub repository — https://github.com/design-sparx/mantine-analytics-dashboard Mantine — https://mantine.dev/ Nextjs — https://nextjs.org/ Code documentation — https://mantine-analytics-dashboard-docs.netlify.app/

While I have experience with Tailwind and frontend development, I don’t really have the patience to use it. I usually end up using something like Mantine, which is a complete component library UI kit, or Daisy UI, which is a component library built on top of Tailwind. Shadcn/ui is quite similar to Daisy in this sense, but being able to customize the individual components, since they get installed to your components folder, made development more streamlined and more customizable. On top of that being able to change my components style with natural language thanks to v0 made development super easy and fast. Shadcn may be too minimalist of a style for some, but thanks to all the components being local, you can customize them quickly and easily!

Great compilation. Thanks for putting that together.

Curious what your take is on these UI libraries that "claim" they are accessible:

https://mantine.dev - "Build fully functional accessible web applications faster than ever"

29.react-mantine

I am currently using mantine.dev , and i am very happy with the results, i haven't done any customization, if you want to give a look on my website: https://culturadocaractere.com.br

GitHub stars: 21.9k GitHub link: https://github.com/mantinedev/mantine Documentation: https://mantine.dev/getting-started/