Currently we're seeing simple star rated reviews on marketplace content, developers that are happy that it was easy to implement etc. And all reviewers are treated the same, whether you're a junior developer, or a security expert with 25 years of experience in the software industry. It's all just lumped together.
However from a code quality perspective, adherence to best practices, cleanliness, logging, flexibility, performance, coverage of API implementation, error handling, UI design, UX, test coverage, code quality tooling used, adherence and implementation to specifications and standards, HIPAA compliant, GDPR compliant etc, support, documentation, all could be put under a level of scrutiny.
With the addition of protected modules etc. and ISV's trying to sell their solution. This is going to be even more sketchy as their code will be hidden away and as a developer you can't even review what happens under the hood.
People are currently downloading quite possibly poorly implemented, insecure and faulty modules. And nobody bats an eye because hey it had 5 stars and tons of downloads!
The number of modules that can be downloaded this way, that were just some hobby project they put together in 2-3 days that someone launched into the marketplace is quite large.
But even more serious platform supported modules, like the External Database Connector, or the Database connector, both delivered by Mendix teams, are a risk to blindly download. With platform support and 30000+ downloads it looks super trustworthy, so many low-code developers don't give it a second thought. But what if I told you one of the most crucial aspects has potentially been overlooked in those modules? Which is the coverage of SSL and client verification of server certificates (https://www.postgresql.org/docs/current/libpq-ssl.html) leaving the connections vulnerable for man in the middle attacks, impersonation of the external database, and eavesdropping which can potentially expose the external database credentials. 30000+ downloads.. and hundreds of "expert" Mendix developers used it, reviewed it, and didn't bother to take a look under the hood.
GitHub works because it opens the source code of many projects to everyone to look at, it has an issue tracker, and people can contribute with ease. They can report new issues and this is immediately visibly for everyone to see.
The Mendix Marketplace needs:
- A more complete rating system that covers all aspects of software quality
- Stamps of approval by people that can be seen as authorities that are experienced enough to judge different aspects of these modules. Reviews by a security team, legal, architects, UX/UI experts, senior developers, testers. etc.
- Coverage of what has been reviewed by these authorities before it reached the marketplace.
- Developers that upload content need to mark which parts of their application were affected with their latest release changes triggering the need for authorities to update their reviews or new people to re-do it.
- Issue tracker
- Clear best practices and guidelines which modules need to adhere to.
- Reward system for people that bug fix / do reviews, community points, in fact, just make it the requirement to become an expert to do this for 5 to 15 different Mendix modules in the Marketplace.
- Built in code review tooling in the Mendix modeler, allowing people to mark parts of a microflow for the need of future revisions etc.