Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
September 22, 2022
Technology
0
150

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it's that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Marit van Dijk

September 22, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Keep_your_dependencies_in_check_Volksbank.pdf
mlvandijk
0
7
Reading Code (DevNexus)
mlvandijk
0
49
Reading code - Voxxed Days Bucharest
mlvandijk
0
24
Reading Code (UtrechtJUG)
mlvandijk
0
26
Reading Code (JFokus)
mlvandijk
0
24
Keep your dependencies in check
mlvandijk
0
41
Reading code
mlvandijk
0
360
Keep your dependencies in check
mlvandijk
0
27
Reading Code
mlvandijk
0
150

Other Decks in Technology

See All in Technology
JSON攻略法.pdf
miyakemito
8
5k
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
140
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
2
530
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
1
120
開発パフォーマンスを最大化するための開発体制
ham0215
2
410
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
310
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
310
Cracking the KubeCon CfP
inductor
2
250
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
650
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
2
380

Featured

See All Featured
A Tale of Four Properties
chriscoyier
151
22k
Building Applications with DynamoDB
mza
88
5.6k
Faster Mobile Websites
deanohume
299
30k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Navigating Team Friction
lara
178
13k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Making Projects Easy
brettharned
108
5.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Optimising Largest Contentful Paint
csswizardry
8
2.4k

Transcript

  1. Keep your dependencies in check Rotterdam JUG - September 21st,

    2022 https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77

  13. @MaritvanDijk77

  14. @MaritvanDijk77

  15. @MaritvanDijk77 Do we need this dependency?

  16. @MaritvanDijk77 Selecting dependencies • Does it solve your problem?

  17. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? (without

    introducing new ones)

  18. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained?

  19. @MaritvanDijk77 https://xkcd.com/2347/

  20. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like?

  21. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented?

  22. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented? • Is it stable & secure?

  23. Dependency information @MaritvanDijk77 https://mvnrepository.com/

  24. Dependency information @MaritvanDijk77 https://mvnrepository.com/ Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

  25. Dependency information @MaritvanDijk77 https://github.com/

  26. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  27. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  28. No dependencies @MaritvanDijk77 Maintain dependencies

  29. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  30. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  31. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  32. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77

  33. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  34. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  35. IntelliJ IDEA: Ultimate Edition @MaritvanDijk77

  36. IntelliJ IDEA • Dependencies tab @MaritvanDijk77

  37. Downsides - Check out each individual project - Apply &

    verify updates @MaritvanDijk77

  38. Software Composition Analysis (SCA) • Scan all repos • Dashboard

    with overview @MaritvanDijk77

  39. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard @MaritvanDijk77

  40. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  41. Dependabot • GitHub native • Includes: • Dependabot alerts •

    Dependabot security updates • Dependabot version updates @MaritvanDijk77

  42. Dependabot enable @MaritvanDijk77

  43. Dependabot alerts @MaritvanDijk77

  44. Dependabot security updates @MaritvanDijk77

  45. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  46. Renovate • By Mend • Available via GitHub App @MaritvanDijk77

  47. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  48. Renovate enable @MaritvanDijk77

  49. Renovate enable @MaritvanDijk77

  50. Renovate configuration • All repos or selected repos • Config

    file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  51. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  52. Renovate Dashboard @MaritvanDijk77

  53. Snyk • Products: • Snyk Open Source • Snyk Code

    • Snyk Container • Snyk Infrastructure as Code • Snyk Cloud @MaritvanDijk77 https://snyk.io/

  54. Snyk enable @MaritvanDijk77 https://snyk.io/

  55. Snyk enable @MaritvanDijk77

  56. Snyk enable @MaritvanDijk77

  57. Snyk enable @MaritvanDijk77

  58. Snyk PR @MaritvanDijk77

  59. Snyk PR @MaritvanDijk77

  60. Snyk PR Check @MaritvanDijk77

  61. Snyk dashboard @MaritvanDijk77

  62. Snyk dashboard @MaritvanDijk77

  63. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  64. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  65. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

  66. Conclusion • (Re)evaluate dependencies carefully • Automate checks & updates

    • Stay safe! @MaritvanDijk77

  67. Keep your dependencies in check Rotterdam JUG - September 21st,

    2022 https://maritvandijk.com/ @MaritvanDijk77