WatchYaari - Watch videos together with your friends

Akhileswar Mannuru (He/Him) — Sun, 28 Aug 2022 18:41:00 +0000

Overview of My Submission

WatchYaari is a platform where friends can watch youtube videos together while connected over a video chat. It is primarily built using MEAN stack, WebRTC, socket.io & Redis.

The idea for the same originated back in April 2020 when people were socially distant due to COVID-19 outbreak & while talking to bunch of friends over a video call, the need for hanging out with friends during social distancing was the bootstrap point of WatchYaari.
Initially we had started off with youtube but the plan was to extend integrating with various OTT platforms.

Submission Category:

MEAN/MERN Mavericks
I have used Redis in the following 2 ways:

As a primary database instead of MongoDB (i.e. replace “M” in MEAN/MERN with “R” for Redis).
Added caching and advanced searching capabilities using JSON and Search modules.

[Video Explainer of My Project]

Language Used

JS/TS/Node.js

Link to Code

AkhilJSON / watchyaari

WatchYaari - Watch videos together with your friends

Platform where users can watch youtube videos while on a video chat. Basically a digital party where users can enjoy watching videos together Separated by distance, brought together by WatchYaari.

Overview video (Optional)

Here's a short video that explains the project and how it uses Redis:

How it works

How the data is stored:

Used RedisJSON for saving JSON data in Redis with the help of redis-om nodejs library.

How the data is accessed:

Used RedisSearch to query data stored in Redis with the help of redis-om nodejs library.

Keys changes while moving from MongoDB to Redis as primary database

Changed MongoDB ObjectId dependecies to RedisJSON entityId
Changed Mongoose models to RedisJSON schema

Mongoose Model

RedisJSON Schema
Changed queries

Mongoose aggregate query

RedisSearch query

Architecture diagram

How to run it locally?

Prerequisites

Node - v14.16.0
Angular: 9.1.9
Angular CLI: 9.1.4
NPM -…

View on GitHub

Check out Redis OM, client libraries for working with Redis as a multi-model database.
Use RedisInsight to visualize your data in Redis.
Sign up for a free Redis database.

Finding security vulnerabilities in JavaScript with Github's CodeQL & Code Scanning

Akhileswar Mannuru (He/Him) — Thu, 14 Jul 2022 08:00:57 +0000

Identifying code vulnerability is always a growing concern for a software engineer. How to reduce the security vulnerabilities in a growing code base? To mitigate such problems, I started exploring and got introduced to Github’s CodeQL.

Read this document by Github to learn more about application security. It covers various aspects like:

State of application security today.
Traditional vs. end-to-end security.
Developer first application security with GitHub.

Through this blog, I will give a step-by-step understanding on how to find security vulnerabilities in JavaScript project using CodeQL. I am planning to cover the following in detail.

Intro to CodeQL & Code Scanning.
How to find security vulnerabilities in JavaScript with CodeQL?
How to enable Github Code scanning with CodeQL?

1. Intro to CodeQL & Code Scanning

CodeQL is an industry-leading semantic code analysis engine developed by Github designed to identify vulnerabilities in codebase. It treats your code as data by building a database that can be queried for vulnerabilities. You can write queries on data to find patterns, vulnerabilities & bugs. For more details, click here.

CodeQL can be used in conjunction with Code scanning capabilities which is GitHub’s native SAST (Static Application Security Testing) tool, a developer-first approach to SAST that enables vulnerabilities to be found and remediated effortlessly before they reach production.

2. How to find security vulnerabilities in JavaScript with CodeQL?

There is a wonderful workshop video on Finding security vulnerabilities in JavaScript with CodeQL.

Note: If you are in a hurry & just want to enable CodeQL scanner in your javascript codebase without any need of learning CodeQL or willing to explore/learn writing queries using it or if you want to learn it later, please skip this section, this video will take at least 1.5hrs to complete.

Workshop Video

Video Summary
This workshop video gives a walkthrough on :

How to install CodeQL Vs code extension?
How to download a pre-generated bootstrap database by CodeQl CLI?
How to write queries to identify JQuery Plugin vulnerabilities which are found in a specific version of bootstrap(v3.4.0)?

Helpful links

CodeQL for Visual Studio Code
javascript.md used in the workshop video.
Github workshop repo

3. How to enable Github Code scanning with CodeQL?

After following the workshop video you should be able to use CodeQL.

Rather than writing queries manually, code scanning feature will find security vulnerabilities and errors in the code for your project on GitHub. In this section i'll help you setting it up. For this purpose we will use the same javascript open source library which is used in the above workshop video twbs/bootstrap.

Code scanning is GitHub’s native SAST tool. More about it can be found here.

Alternatively you can try out Code scanning JavaScript Tutorial by following this. Rather if you would like to continue with bootstrap plugin vulnerability example please follow the below steps:

3.1. Fork the twbs/bootstrap public repository in to your github account.

3.2. Create a new branch(code-scan-v3.4.0) from v3.4.0 tag, since the database used in the workshop video is generated from the same version of bootstrap, we will get similar vulnerabilities as the workshop video.

3.3. Enable Code Scanning : Since Code Scanning is available for all public repositories I have enabled it with the help of this.

3.4. Actions Workflow file : Update the branch name(code-scan-v3.4.0) in the CodeQL action Workflow file which we have enabled in the previous step. So that the action is triggered only on this branch(code-scan-v3.4.0) push & PR events.

I have removed the cron schedule to avoid running it on periodic basis, Based on your requirements you can add specific workflow trigger events. Check this for more info on Github Actions event triggers for the workflows.

3.5. copy the .github folder from the main branch to the new branch(code-scan-v3.4.0), since it is missing in it. I have copied the folder & committed to the code-scan-v3.4.0 branch. Since we have mentioned the workflow to be triggered on push & PR in the previous step, this push will also trigger the Code scanning.

Make sure you have the CodeQL workflow changes in this branch, which we have added in the previous step.

3.6. After the scanning is complete, you can find the alerts here:

Change the branch name in the filters to see the alerts belongs to code-scan-v3.4.0 branch.

You can now see the Unsafe jQuery plugin alerts which are similar to the workshop video.

To trigger the workflow again either you can Re-run the old job or push a new commit in the branch. For Re-running click on Re-run all jobs in the CodeQL workflow summary page:

The above Code scanning was done using Github actions using the free minutes available in the public repository quota.
Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, please read this.

Read this to know more about Actions billing.

Additionally you can also run the code scanning using an external CI system, read this for setting up custom runner of CodeQL.

Please read this GitHub CodeQL Terms and Conditions before using it, use enterprise license for purposes beyond this scope & restrictions.

Also Read this to know about the hardware resources requirements for running CodeQL.

FYI, There are other scanners available in the Github
marketplace in addition to the CodeQL Scanner.
Check the below image to add other workflows

Hope this helps!

DEV Community: Akhileswar Mannuru (He/Him)

WatchYaari - Watch videos together with your friends

Overview of My Submission

Submission Category:

[Video Explainer of My Project]

Language Used

Link to Code

AkhilJSON / watchyaari

WatchYaari - Watch videos together with your friends

Overview video (Optional)

How it works

How the data is stored:

How the data is accessed:

Keys changes while moving from MongoDB to Redis as primary database

Architecture diagram

How to run it locally?

Prerequisites

Finding security vulnerabilities in JavaScript with Github's CodeQL & Code Scanning

1. Intro to CodeQL & Code Scanning

2. How to find security vulnerabilities in JavaScript with CodeQL?

3. How to enable Github Code scanning with CodeQL?