Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
September 22, 2022
Technology
0
190

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it's that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Marit van Dijk

September 22, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading Code (BuildStuff)
mlvandijk
0
6
Will AI Assistant Make Developers Redundant (Devoxx)
mlvandijk
0
70
Reading code (Dev2Next)
mlvandijk
0
26
Putting the AI in JetBrAIns
mlvandijk
0
39
Reading Code (JUG Noord)
mlvandijk
0
24
Reading Code (JavaZone)
mlvandijk
0
13
Code Reading Workshop (SoCraTes)
mlvandijk
1
130
Code Reading workshop - Software Cornwall
mlvandijk
1
29
Reading Code (Picnic)
mlvandijk
1
37

Other Decks in Technology

See All in Technology
元旅行会社の情シス部員が教えるおすすめなre:Inventへの行き方 / What is the most efficient way to re:Invent
naospon
2
340
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
610
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
Taming you application's environments
salaboy
0
180
Engineer Career Talk
lycorp_recruit_jp
0
140
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k

Featured

See All Featured
Statistics for Hackers
jakevdp
796
220k
GitHub's CSS Performance
jonrohan
1030
460k
Docker and Python
trallard
40
3.1k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Agile that works and the tools we love
rasmusluckow
327
21k
Rails Girls Zürich Keynote
gr2m
94
13k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k

Transcript

  1. Keep your dependencies in check Rotterdam JUG - September 21st,

    2022 https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77

  13. @MaritvanDijk77

  14. @MaritvanDijk77

  15. @MaritvanDijk77 Do we need this dependency?

  16. @MaritvanDijk77 Selecting dependencies • Does it solve your problem?

  17. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? (without

    introducing new ones)

  18. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained?

  19. @MaritvanDijk77 https://xkcd.com/2347/

  20. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like?

  21. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented?

  22. @MaritvanDijk77 Selecting dependencies • Does it solve your problem? •

    Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented? • Is it stable & secure?

  23. Dependency information @MaritvanDijk77 https://mvnrepository.com/

  24. Dependency information @MaritvanDijk77 https://mvnrepository.com/ Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

  25. Dependency information @MaritvanDijk77 https://github.com/

  26. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  27. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  28. No dependencies @MaritvanDijk77 Maintain dependencies

  29. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  30. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  31. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  32. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77

  33. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  34. IntelliJ IDEA: Community Edition • Alt + Enter @MaritvanDijk77

  35. IntelliJ IDEA: Ultimate Edition @MaritvanDijk77

  36. IntelliJ IDEA • Dependencies tab @MaritvanDijk77

  37. Downsides - Check out each individual project - Apply &

    verify updates @MaritvanDijk77

  38. Software Composition Analysis (SCA) • Scan all repos • Dashboard

    with overview @MaritvanDijk77

  39. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard @MaritvanDijk77

  40. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  41. Dependabot • GitHub native • Includes: • Dependabot alerts •

    Dependabot security updates • Dependabot version updates @MaritvanDijk77

  42. Dependabot enable @MaritvanDijk77

  43. Dependabot alerts @MaritvanDijk77

  44. Dependabot security updates @MaritvanDijk77

  45. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  46. Renovate • By Mend • Available via GitHub App @MaritvanDijk77

  47. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  48. Renovate enable @MaritvanDijk77

  49. Renovate enable @MaritvanDijk77

  50. Renovate configuration • All repos or selected repos • Config

    file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  51. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  52. Renovate Dashboard @MaritvanDijk77

  53. Snyk • Products: • Snyk Open Source • Snyk Code

    • Snyk Container • Snyk Infrastructure as Code • Snyk Cloud @MaritvanDijk77 https://snyk.io/

  54. Snyk enable @MaritvanDijk77 https://snyk.io/

  55. Snyk enable @MaritvanDijk77

  56. Snyk enable @MaritvanDijk77

  57. Snyk enable @MaritvanDijk77

  58. Snyk PR @MaritvanDijk77

  59. Snyk PR @MaritvanDijk77

  60. Snyk PR Check @MaritvanDijk77

  61. Snyk dashboard @MaritvanDijk77

  62. Snyk dashboard @MaritvanDijk77

  63. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  64. Bots: Pros & Cons + Relatively easy to install +

    Automatic PRs - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  65. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

  66. Conclusion • (Re)evaluate dependencies carefully • Automate checks & updates

    • Stay safe! @MaritvanDijk77

  67. Keep your dependencies in check Rotterdam JUG - September 21st,

    2022 https://maritvandijk.com/ @MaritvanDijk77