Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
September 22, 2022
Technology
0
67

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it's that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Marit van Dijk

September 22, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Keep your dependencies in check
mlvandijk
0
9
Code_Reading_Workshop_JUG-CH.pdf
mlvandijk
0
6
Keep_your_dependencies_in_check_BrabantJUG.pdf
mlvandijk
0
3
Use Testing to Develop Better Software Faster
mlvandijk
0
79
Keep your dependencies in check (FOSDEM)
mlvandijk
0
17
Keep your dependencies in check
mlvandijk
1
230
Keep your dependencies in check
mlvandijk
0
110
Keep your dependencies in check
mlvandijk
0
98
Use Testing to Develop Better Software Faster
mlvandijk
0
100

Other Decks in Technology

See All in Technology
エラーログをAlertで引っ掛けるときにEventTimer使ってみた話
sparty
0
140
MSPサービスを支えるIaCのこれまでとこれから
sbtechnight
PRO
0
350
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
250
SNS投稿を使ってクラウド障害を検知してみた
sbtechnight
PRO
0
370
6G/テラヘルツの取り組み
sbtechnight
PRO
0
410
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
120
TryToUseCloudFlareTunnel_20230317.pdf
kenichirokimura
0
140
Cloudflare_MeetUp_Sapporo_KickOff.pdf
taketakekaho
1
100
Product Minded Software Engineers: Understanding the Product with a code-first approach
cembasaranoglu
0
230
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
380
Power Automateの子フローについて
miyakemito
1
280
「新卒エンジニアが1年間で顔を売るために取った行動100連発」/YAPC::Kyoto 2023 前日祭 ネコトーストラボ杯争奪東西対抗LTマッチ
arthur1
0
420

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
233
9.8k
Statistics for Hackers
jakevdp
785
210k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
The Art of Programming - Codeland 2020
erikaheidi
36
11k
Automating Front-end Workflow
addyosmani
1351
200k
Six Lessons from altMBA
skipperchong
15
2.4k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Principles of Awesome APIs and How to Build Them.
keavy
117
16k
Bash Introduction
62gerente
602
210k
Making Projects Easy
brettharned
102
4.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k

Transcript

  1. Keep your dependencies in check
    Rotterdam JUG - September 21st, 2022
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide

  2. @MaritvanDijk77

    View Slide

  3. @MaritvanDijk77

    View Slide

  4. @MaritvanDijk77

    View Slide

  5. @MaritvanDijk77

    View Slide

  6. Dec. 2021
    @MaritvanDijk77

    View Slide

  7. @MaritvanDijk77

    View Slide

  8. @MaritvanDijk77

    View Slide

  9. @MaritvanDijk77

    View Slide

  10. March 2022
    @MaritvanDijk77

    View Slide

  11. @MaritvanDijk77

    View Slide

  12. @MaritvanDijk77

    View Slide

  13. @MaritvanDijk77

    View Slide

  14. @MaritvanDijk77

    View Slide

  15. @MaritvanDijk77
    Do we
    need
    this
    dependency?

    View Slide

  16. @MaritvanDijk77
    Selecting dependencies
    • Does it solve your problem?

    View Slide

  17. @MaritvanDijk77
    Selecting dependencies
    • Does it solve your problem? (without introducing new ones)

    View Slide

  18. @MaritvanDijk77
    Selecting dependencies
    • Does it solve your problem?
    • Is it well maintained?

    View Slide

  19. @MaritvanDijk77
    https://xkcd.com/2347/

    View Slide

  20. @MaritvanDijk77
    Selecting dependencies
    • Does it solve your problem?
    • Is it well maintained?
    • Is it popular? What is the community like?

    View Slide

  21. @MaritvanDijk77
    Selecting dependencies
    • Does it solve your problem?
    • Is it well maintained?
    • Is it popular? What is the community like?
    • Is it easy use? Is it well documented?

    View Slide

  22. @MaritvanDijk77
    Selecting dependencies
    • Does it solve your problem?
    • Is it well maintained?
    • Is it popular? What is the community like?
    • Is it easy use? Is it well documented?
    • Is it stable & secure?

    View Slide

  23. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/

    View Slide

  24. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/
    Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

    View Slide

  25. Dependency information
    @MaritvanDijk77
    https://github.com/

    View Slide

  26. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  27. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  28. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View Slide

  29. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View Slide

  30. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  31. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View Slide

  32. Gradle
    • Add plugin, e.g. gradle-versions-plugin
    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77

    View Slide

  33. IntelliJ IDEA: Community Edition
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  34. IntelliJ IDEA: Community Edition
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  35. IntelliJ IDEA: Ultimate Edition
    @MaritvanDijk77

    View Slide

  36. IntelliJ IDEA
    • Dependencies tab
    @MaritvanDijk77

    View Slide

  37. Downsides
    - Check out each individual project
    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  38. Software Composition Analysis (SCA)
    • Scan all repos
    • Dashboard with overview
    @MaritvanDijk77

    View Slide

  39. SCA: Pros & Cons
    + No need to check out repos individually
    - I have to check the dashboard
    @MaritvanDijk77

    View Slide

  40. @MaritvanDijk77
    Bots
    • Dependabot
    • Renovate
    • Snyk Open Source

    View Slide

  41. Dependabot
    • GitHub native
    • Includes:
    • Dependabot alerts
    • Dependabot security updates
    • Dependabot version updates
    @MaritvanDijk77

    View Slide

  42. Dependabot enable
    @MaritvanDijk77

    View Slide

  43. Dependabot alerts
    @MaritvanDijk77

    View Slide

  44. Dependabot security updates
    @MaritvanDijk77

    View Slide

  45. Dependabot version updates
    • Add dependabot.yml (impacts security updates)
    • Package manager & directory manifest file
    • Frequency (daily, weekly, or monthly)
    • Schedule (date, time, timezone)
    • Max. number of PR's (default 5)
    • Some details to manage PR's
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

    View Slide

  46. Renovate
    • By Mend
    • Available via GitHub App
    @MaritvanDijk77

    View Slide

  47. Renovate enable
    @MaritvanDijk77
    https://github.com/apps/renovate

    View Slide

  48. Renovate enable
    @MaritvanDijk77

    View Slide

  49. Renovate enable
    @MaritvanDijk77

    View Slide

  50. Renovate configuration
    • All repos or selected repos
    • Config file is created for you
    • Limit concurrent branches / PRs, hourly limit
    • More options
    • More fine-grained
    @MaritvanDijk77
    https://docs.renovatebot.com/configuration-options/

    View Slide

  51. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View Slide

  52. Renovate Dashboard
    @MaritvanDijk77

    View Slide

  53. Snyk
    • Products:
    • Snyk Open Source
    • Snyk Code
    • Snyk Container
    • Snyk Infrastructure as Code
    • Snyk Cloud
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  54. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  55. Snyk enable
    @MaritvanDijk77

    View Slide

  56. Snyk enable
    @MaritvanDijk77

    View Slide

  57. Snyk enable
    @MaritvanDijk77

    View Slide

  58. Snyk PR
    @MaritvanDijk77

    View Slide

  59. Snyk PR
    @MaritvanDijk77

    View Slide

  60. Snyk PR Check
    @MaritvanDijk77

    View Slide

  61. Snyk dashboard
    @MaritvanDijk77

    View Slide

  62. Snyk dashboard
    @MaritvanDijk77

    View Slide

  63. Snyk Open Source Configuration
    • Frequency (daily, weekly, never)
    • Enable/disable: New and/or known vulnerabilities
    • Enable/disable PRs for single project
    @MaritvanDijk77
    https://docs.snyk.io/products/snyk-open-source/open-source-basics

    View Slide

  64. Bots: Pros & Cons
    + Relatively easy to install
    + Automatic PRs
    - Manage PRs (merge & deploy)
    - No code changes (if needed)
    @MaritvanDijk77

    View Slide

  65. OpenRewrite
    • Source code refactoring for framework migrations, vulnerability
    patches, and API migrations with an early focus on the Java language
    • Maven & Gradle
    • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5)
    • Can author recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  66. Conclusion
    • (Re)evaluate dependencies carefully
    • Automate checks & updates
    • Stay safe!
    @MaritvanDijk77

    View Slide

  67. Keep your dependencies in check
    Rotterdam JUG - September 21st, 2022
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide