Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
September 22, 2022
Technology
0
200

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it's that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Marit van Dijk

September 22, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
TDD: Test-Driven Development vs Tab-Driven Development
mlvandijk
0
67
Reading Code (Duke turns 30)
mlvandijk
1
34
TDD: Test-Driven Development vs TAB-Driven Development (Devnexus)
mlvandijk
0
44
Reading Code (NDC London)
mlvandijk
0
29
Reading Code (LJC)
mlvandijk
0
35
Reading code (ING Backend Summit)
mlvandijk
0
51
Reading code (Tweakers Developers Summit)
mlvandijk
0
41
Reading Code (Devoxx)
mlvandijk
0
410
Reading Code (BuildStuff)
mlvandijk
0
34

Other Decks in Technology

See All in Technology
Mastraに入門してみた ~AWS CDKを添えて~
tsukuboshi
0
320
クォータ監視、AWS Organizations環境でも楽勝です✌️
iwamot
PRO
1
340
より良い開発者体験を実現するために~開発初心者が感じた生成AIの可能性~
masakiokuda
0
210
アジャイル脅威モデリング#1(脅威モデリングナイト#8)
masakane55
3
230
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
1
620
Microsoft の SSE の現在地
skmkzyk
0
160
2025-04-24 "Manga AI Understanding & Localization" Furukawa Arata (CyberAgent, Inc)
ornew
2
270
Running JavaScript within Ruby
hmsk
3
370
watsonx.data上のベクトル・データベース Milvusを見てみよう/20250418-milvus-dojo
mayumihirano
0
120
CodePipelineのアクション統合から学ぶAWS CDKの抽象化技術 / codepipeline-actions-cdk-abstraction
gotok365
5
300
Oracle Cloud Infrastructure:2025年4月度サービス・アップデート
oracle4engineer
PRO
0
130
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
0
290

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
42
7.5k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Embracing the Ebb and Flow
colly
85
4.7k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
Scaling GitHub
holman
459
140k
Fireside Chat
paigeccino
37
3.4k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.8k
Designing for Performance
lara
608
69k

Transcript

  1. Keep your dependencies in check Rotterdam JUG - September 21st,

    2022 https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77

  13. @MaritvanDijk77

  14. @MaritvanDijk77

  15. @MaritvanDijk77 Do we need this dependency?

  16. @MaritvanDijk77 Selecting dependencies • Does it solve your problem?

  17. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? (without

    introducing new ones)

  18. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained?

  19. @MaritvanDijk77 https://xkcd.com/2347/

  20. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like?

  21. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented?

  22. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented? • Is it stable & secure?

  23. Dependency information @MaritvanDijk77 https://mvnrepository.com/

  24. Dependency information @MaritvanDijk77 https://mvnrepository.com/ Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

  25. Dependency information @MaritvanDijk77 https://github.com/

  26. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  27. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  28. No dependencies @MaritvanDijk77 Maintain dependencies

  29. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  30. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  31. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  32. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77

  33. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  34. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  35. IntelliJ IDEA: Ultimate Edition @MaritvanDijk77

  36. IntelliJ IDEA • Dependencies tab @MaritvanDijk77

  37. Downsides - Check out each individual project - Apply &

    verify updates @MaritvanDijk77

  38. Software Composition Analysis (SCA) • Scan all repos • Dashboard

    with overview @MaritvanDijk77

  39. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard @MaritvanDijk77

  40. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  41. Dependabot • GitHub native • Includes: • Dependabot alerts •

    Dependabot security updates • Dependabot version updates @MaritvanDijk77

  42. Dependabot enable @MaritvanDijk77

  43. Dependabot alerts @MaritvanDijk77

  44. Dependabot security updates @MaritvanDijk77

  45. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  46. Renovate • By Mend • Available via GitHub App @MaritvanDijk77

  47. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  48. Renovate enable @MaritvanDijk77

  49. Renovate enable @MaritvanDijk77

  50. Renovate configuration • All repos or selected repos • Config

    file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  51. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  52. Renovate Dashboard @MaritvanDijk77

  53. Snyk • Products: • Snyk Open Source • Snyk Code

    • Snyk Container • Snyk Infrastructure as Code • Snyk Cloud @MaritvanDijk77 https://snyk.io/

  54. Snyk enable @MaritvanDijk77 https://snyk.io/

  55. Snyk enable @MaritvanDijk77

  56. Snyk enable @MaritvanDijk77

  57. Snyk enable @MaritvanDijk77

  58. Snyk PR @MaritvanDijk77

  59. Snyk PR @MaritvanDijk77

  60. Snyk PR Check @MaritvanDijk77

  61. Snyk dashboard @MaritvanDijk77

  62. Snyk dashboard @MaritvanDijk77

  63. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  64. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  65. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

  66. Conclusion • (Re)evaluate dependencies carefully • Automate checks & updates

    • Stay safe! @MaritvanDijk77

  67. Keep your dependencies in check Rotterdam JUG - September 21st,

    2022 https://maritvandijk.com/ @MaritvanDijk77