Azure-in-bullet-points

Package management

• It’s possible to manage all aspects of software such as installation, configuration, upgrade, and uninstall.
• Benefits:
  • Reusability: reuse same package in multiple solutions
  • Download a package into your solution whenever required.
  • Leads to faster development
• Issues with public package managers
  • Maintaining governance and control
    • E.g. people can use different versions of packages
  • Security
    • Does it have loopholes? Concerns?
    • Developer can use any package to ensure application works.
• Need for managing dependencies
  • Applications can just get swarmed into using application dependencies
  • There can be no control over the packages being used in application
  • Security can also be concern when you are looking at working with public packages

Some package managers

• apt for Debian Linux environments
• yum for CentOS Linux environments.
• Chocolatey: software management solution built on PowerShell for Windows operating systems.
• nuget for .NET applications
• npm for JavaScript packages
  • package.json
    • resides in project root folder
    • lists the packages your project depends on
    • specifies versions of a package that your project can use using semantic versioning rules
    • makes your build reproducible, and therefore easier to share with other developers
  • .npmrc
    • npm gets its config settings from the command line, environment variables, and npmrc files.
    • Can be defined as
      • per-user: in home directory of the user ($HOME/.npmrc)
      • per-project: project root ($PREFIX/etc/npmrc)
      • global: $PREFIX/etc/npmrc
      • built-in: unchangeable, in path/to/npm/itself/npmrc
    • Azure DevOps Services recommends using two .npmrc files:
      1. One .npmrc should live at the root of your git repo adjacent to your project’s package.json.
         • Should define registries
      2. On the development machine, .npmrc in $home for Linux or Mac systems or $env.HOME for win systems
         • Should contain credentials for all of the registries that you need to connect to.
         • 💡 The NPM client will look at your project’s .npmrc, discover the registry, and fetch matching credentials from $home/.npmrc or $env.HOME/.npmrc
         • I[n build task, you give credentials in npm Authenticate task
• maven: most popular build and dependency resolution tool for Java
  • gradle is a Java build tool that can use Maven or Ivy repositories for dependency resolution.

Security and Compliance

• Developers make use of publicly available packages on the Internet
• Security concerns: Are all security vulnerabilities addressed?
• Licensing problems: e.g. some licenses if you change the code in the package you must make the package publicly available.
• Some tools
  • BlackDuck by Synopsys
    • Scan all open source dependencies in your application
    • Get issues reported on all possible security vulnerabilities
  • WhiteSource Bolt
    • tool for scanning open-source dependencies for vulnerabilities and licensing
  • You can install them as extensions for those services for your organization in Azure DevOps
    • You must also install them in a server & buy a license
    • Create a service connection that points to your server

This site is open source. Improve this page.