Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

To celebrate FabCon Vienna, we are offering 50% off select exams. Ends October 3rd. Request your discount now.

Reply
istinbatt_all
New Member

Vulnerability scanning for PowerBI visuals

‎10-04-2023 01:34 AM

Hi everyone,

 

I recently discovered that it's possible to use custom visuals in PowerBI that are accessible from AppSource. In particular some of these are "PBI Certified". Microsoft states (accoring to this page: Get your Power BI visual certified) that, in order to get the certification for the visual, there are some requirements to be met:

  • compliance with the guidelines for Power BI visuals
  • all required tests should pass
  • there should be no difference between the  submitted package and the compiled one

There are some other requirements about the repository, files, commands, compiling, etc. but these are not relevant for the question.

 

At last, the question that I have and couldn't find an answer is the following:

if a new vulnerability is discovered (call it a zero-day if you'd like) in a package used by one of the visual or the visual itself, how is it handled? Is it entirely up to the developer to fix the code and re-submit the visual? Will Microsoft gets notified in some ways (from the developer or through automatic periodic scanning)?

 

I had a look also to the FAQs (Power BI custom visuals FAQ) but the topic wasn't covered.

 

Thanks in advance to anyone who can give me an answer on this 🙂

Message 1 of 4
1,564 Views
0
1 ACCEPTED SOLUTION
dm-p
Super User
Super User

‎10-04-2023 05:33 PM

Visuals are certified as of when they were submitted and reviewed. Nothing changes from the published visual side of things if something changes with the rules or vulnerabilities get discovered in npm packages. Provided that npm returns no warning about vulnerabilities in any required packages, this is regarded as OK. Certified visuals are not removed if certification rules change retrospectively or package vulnerabilities are discovered.

 

However, if I, as a visual author, want to submit an update to my visual, I have to address the rule changes and ensure my libraries are patched accordingly. It's routine for any author who updates their visuals regularly, as certification will fail for the update (and the last reviewed version remains in AppSource in perpetuity until the author submits a compliant update).

 

I've never personally been contacted about package vulnerabilities in one of my published visuals, so I can assume that either (a) this doesn't happen or (b) I haven't been subjected to a significant enough incident to be contacted.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




View solution in original post

Message 2 of 4
1,526 Views
3 REPLIES 3
dm-p
Super User
Super User

‎10-04-2023 05:33 PM

Visuals are certified as of when they were submitted and reviewed. Nothing changes from the published visual side of things if something changes with the rules or vulnerabilities get discovered in npm packages. Provided that npm returns no warning about vulnerabilities in any required packages, this is regarded as OK. Certified visuals are not removed if certification rules change retrospectively or package vulnerabilities are discovered.

 

However, if I, as a visual author, want to submit an update to my visual, I have to address the rule changes and ensure my libraries are patched accordingly. It's routine for any author who updates their visuals regularly, as certification will fail for the update (and the last reviewed version remains in AppSource in perpetuity until the author submits a compliant update).

 

I've never personally been contacted about package vulnerabilities in one of my published visuals, so I can assume that either (a) this doesn't happen or (b) I haven't been subjected to a significant enough incident to be contacted.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




Message 2 of 4
1,527 Views
istinbatt_all
New Member
In response to dm-p

‎10-05-2023 12:08 AM

Thanks @dm-p for your quick reply, your answer was very helpful.

 

So, as far as I understood a new 0-day vulnerability (despite the CVSS score is) in an npm package could potentially never be fixed and the visual will still maintain the "certified" status exposing the users to potential risks.

 

Does that sound correct?

 

Thanks again for the help.

Message 3 of 4
1,503 Views
0
dm-p
Super User
Super User
In response to istinbatt_all

‎10-05-2023 12:23 AM

Possibly. All I can say is that I haven't been requested to submit a new version of my visuals due to such an issue (and I've been submitting visuals to AppSource for ~5 years). So, as far as my experience of the process goes, a visual would remain in the store unless a new version were to be submitted, so it might be possible that a vulnerable package could be present in an older visual that has not been updated in a long time.

 

If you want something official, it would be best to contact Microsoft for their policy on how this is managed if such an event occurs. The custom visuals team doesn't actively monitor the forums, so you'd be better off contacting them at pbicvsupport@microsoft.com to see if you can get confirmation about this.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




Message 4 of 4
1,497 Views

Helpful resources

Announcements
September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

View All
Top Solution Authors
View All