3

One of subtasks of security audit for our client Mendix projects is to check whether content imported from App Store has not been changed. This applies to imporeted modules and widgets. Using Mendix Platform SDK, we’re able to export all modules used in project (IModel.exportModuleMpk()) and then create e.g. a MD5 checksum for the .mpk files. The problem is that the MD5 is useless, because: The exported .mpk (and hence it’s MD5) is different than the .mpk you can download directly from App Store. If you export the very same module from different projects, the exported .mpk (and hence it’s MD5) is different.   The difference seems to be caused by fact that inside the .mpk there is a .mpr file, so probably the project specific data affect the module package. For imported widgets, we can collect list of custom widgets by traversing all documents (i.e. pages, layouts, snippets) and collecting the CustomWidget children, but it seems there is no way to get the widget content (other than a hacky way: exporting the whole project, unpacking it and checking flies inside /widgets subfolder, with no strong relation to the widgets themselves (the widget file name is not always same a widget name)). Is there any other way to compare imported modules/widgets with App Store originals?

asked 2019-06-19

1 answers