$30 off During Our Annual Pro Sale. View Details »

Keep your dependencies in check

Marit van Dijk
October 26, 2023
Programming
0
9

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

October 26, 2023
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading code
mlvandijk
0
21
Keep your dependencies in check
mlvandijk
0
14
Reading Code
mlvandijk
0
110
Keep your dependencies in check
mlvandijk
0
23
Reading Code
mlvandijk
0
130
Reading code
mlvandijk
0
49
Keep your dependencies in check
mlvandijk
0
24
Reading code
mlvandijk
0
97
Keep your dependencies in check
mlvandijk
0
110

Other Decks in Programming

See All in Programming
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.7k
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
5
960
if 式と switch 式による SwiftUI のプレビューエラー対策
ojun9
1
200
ブランチ運用とデプロイフローを見直してリリースを楽にする
syukai
3
410
Kyo - Functional Scala 2023
fwbrasil
0
1.8k
長年運用されている Web サービスと 通信をするクライアントを Go で作ってみた話
commojun
0
380
Next.js App Router での MPA フロントエンド刷新
mugi_uno
28
9.3k
Second-System Syndrome: A tale of power-assert
twada
PRO
9
3.5k
エンジニア秘書が通訳する異文化コミュニケーションのあれこれ / engineer-communication
assu_ming
0
130
個人開発がおすすめな理由
texmeijin
2
620
OpenTelemetry の Trace を中心としたパフォーマンス改善
rmatsuoka
0
450
リーンスタートアップのリーンな品質の話
techouse
0
510

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
What's new in Ruby 2.0
geeforr
335
30k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Statistics for Hackers
jakevdp
788
220k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k
Code Reviewing Like a Champion
maltzj
511
38k
Why Our Code Smells
bkeepers
PRO
329
56k
GraphQLとの向き合い方2022年版
quramy
26
12k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k

Transcript

  1. Keep your dependencies in check
    All Day DevOps - Oct 26, 2023
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide

  2. @MaritvanDijk77

    View Slide

  3. @MaritvanDijk77

    View Slide

  4. @MaritvanDijk77

    View Slide

  5. @MaritvanDijk77

    View Slide

  6. Dec. 2021
    @MaritvanDijk77

    View Slide

  7. @MaritvanDijk77

    View Slide

  8. @MaritvanDijk77

    View Slide

  9. @MaritvanDijk77

    View Slide

  10. March 2022
    @MaritvanDijk77

    View Slide

  11. @MaritvanDijk77

    View Slide

  12. @MaritvanDijk77
    Do we
    need
    this
    dependency?
    https://maritvandijk.com/selecting-dependencies/

    View Slide

  13. @MaritvanDijk77
    https://www.sonatype.com/resources/log4j-vulnerability-resource-center

    View Slide

  14. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View Slide

  15. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View Slide

  16. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  17. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  18. Maven
    • Analyze dependencies: `mvn dependency:analyze`
    @MaritvanDijk77

    View Slide

  19. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View Slide

  20. Gradle
    • Check for updates:
    • Add plugin, e.g. gradle-versions-plugin
    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77
    https://github.com/ben-manes/gradle-versions-plugin

    View Slide

  21. Gradle
    • Analyze dependencies
    • Add plugin (e.g. nebula)
    @MaritvanDijk77
    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

    View Slide

  22. Gradle
    • Analyze dependencies
    • Add plugin (e.g. nebula)
    • Run `./gradlew fixGradleLint`
    @MaritvanDijk77
    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

    View Slide

  23. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View Slide

  24. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View Slide

  25. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77

    View Slide

  26. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

    View Slide

  27. IntelliJ IDEA: View Dependencies
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

    View Slide

  28. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

    View Slide

  29. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

    View Slide

  30. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View Slide

  31. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View Slide

  32. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View Slide

  33. IntelliJ IDEA: Dependency Analyzer
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

    View Slide

  34. IntelliJ IDEA
    • Package Search: Add dependency
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  35. IntelliJ IDEA
    • Package Search: Add dependency
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  36. IntelliJ IDEA: Update dependencies
    • Context Actions (⌥ ⏎ or Alt+Enter)
    @MaritvanDijk77

    View Slide

  37. IntelliJ IDEA: Update dependencies
    • Hover
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-analysis.html

    View Slide

  38. IntelliJ IDEA
    • Dependencies tool window
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  39. IntelliJ IDEA
    • Dependencies tool window (search)
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  40. IntelliJ IDEA
    https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77

    View Slide

  41. Pros & Cons
    + Check dependencies while working on the project
    - Check out each individual project
    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  42. Software Composition Analysis (SCA)
    • Scan all repos (and containers)
    • Overview
    @MaritvanDijk77

    View Slide

  43. SCA: Pros & Cons
    + No need to check out repos individually
    - I have to check the dashboard
    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  44. @MaritvanDijk77
    Bots
    • Dependabot
    • Renovate
    • Snyk Open Source

    View Slide

  45. Dependabot
    • GitHub native
    • Features:
    • Alerts
    • Security updates
    • Version updates
    @MaritvanDijk77

    View Slide

  46. Dependabot enable
    @MaritvanDijk77

    View Slide

  47. Dependabot alerts
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

    View Slide

  48. Dependabot alerts
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

    View Slide

  49. Dependabot security updates
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

    View Slide

  50. Dependabot version updates
    • Add dependabot.yml
    • Specify:
    • Package manager & location of manifest file
    • Schedule interval (daily, weekly, or monthly)
    • Optional:
    • Max. number of PR's (default 5)
    • Rebase strategy
    • Etc
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

    View Slide

  51. Dependabot: Supported platforms
    • GitHub native
    • Can run on GitLab too
    @MaritvanDijk77

    View Slide

  52. Renovate
    • Available via GitHub App
    • Features:
    • Security updates
    • Version updates
    • Project dashboard
    @MaritvanDijk77

    View Slide

  53. Renovate enable
    @MaritvanDijk77
    https://github.com/apps/renovate

    View Slide

  54. Renovate enable - 3
    @MaritvanDijk77

    View Slide

  55. Renovate onboarding PR
    @MaritvanDijk77

    View Slide

  56. Renovate configuration
    • All repos or selected repos
    • Config file is created for you
    • Scheduling
    • Max. number of PR's / concurrent branches
    • Rule based auto merge
    • More options & more fine-grained
    @MaritvanDijk77
    https://docs.renovatebot.com/configuration-options/

    View Slide

  57. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View Slide

  58. Renovate Dashboard: Project
    @MaritvanDijk77

    View Slide

  59. Renovate: Supported platforms
    • GitHub (.com and Enterprise Server)
    • GitLab (.com and CE/EE)
    • Bitbucket Cloud
    • Bitbucket Server
    • Azure DevOps
    • AWS CodeCommit
    • Gitea and Forgejo
    @MaritvanDijk77
    https://docs.renovatebot.com/#supported-platforms

    View Slide

  60. Snyk Open Source
    • Available via Snyk
    • Features:
    • Security updates
    • Version updates
    • Dashboards
    • Test for new vulnerabilities (on PRs)
    • Test for vulnerabilities in source code
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  61. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  62. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  63. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  64. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  65. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  66. Snyk PR
    @MaritvanDijk77

    View Slide

  67. Snyk PR
    @MaritvanDijk77

    View Slide

  68. Snyk PR Check
    @MaritvanDijk77

    View Slide

  69. Snyk dashboard
    @MaritvanDijk77

    View Slide

  70. Snyk Open Source Configuration
    • Frequency (daily, weekly, never)
    • Enable/disable: New and/or known vulnerabilities
    • Enable/disable PR's for single project
    @MaritvanDijk77
    https://docs.snyk.io/products/snyk-open-source/open-source-basics

    View Slide

  71. Snyk Open Source: Supported Platforms
    • GitHub
    • GitHub Enterprise
    • GitHub Read-only projects
    • Bitbucket Cloud Personal Access Token (Legacy)
    • Bitbucket Cloud App
    • Bitbucket Data Center/Server
    • GitLab
    • Azure (TFS) Repos
    @MaritvanDijk77
    https://docs.snyk.io/integrations/git-repository-scm-integrations

    View Slide

  72. @MaritvanDijk77
    Bots
    • Dependabot
    • Renovate
    • Snyk Open Source

    View Slide

  73. Bots: Pros & Cons
    + Relatively easy to install
    + Automatic PR's
    - Can create "noise"
    - Manage PRs (merge & deploy)
    - Do NOT update your code (if needed)
    @MaritvanDijk77

    View Slide

  74. Migration tools
    @MaritvanDijk77

    View Slide

  75. IntelliJ IDEA
    • Refactor > Migrate Packages and Classes
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/migrate.html

    View Slide

  76. IntelliJ IDEA
    • Refactor > Migrate Packages and Classes >
    • Java EE to Jakarta EE
    • JUnit (4.x -> 5.0)
    • JavaFX (8 -> 9)
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/migrate.html

    View Slide

  77. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View Slide

  78. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View Slide

  79. Error Prone
    • Static analysis tool for Java to catch common programming mistakes
    at compile-time.
    • Maven, Gradle, etc.
    • IntelliJ IDEA / Eclipse plugin, Command line
    • Bug patterns
    • Report or fix
    • Custom checks
    • Includes Refaster: refactor code using before-and-after templates
    @MaritvanDijk77
    https://errorprone.info/

    View Slide

  80. Error Prone
    @MaritvanDijk77
    https://www.youtube.com/watch?v=NPuLeoIzIR0

    View Slide

  81. Error Prone Support
    @MaritvanDijk77
    https://error-prone.picnic.tech/

    View Slide

  82. OpenRewrite
    • Source code refactoring for framework/API migrations, vulnerability
    patches, and static code analysis fixes
    • Java, Kotlin & Groovy support
    • Maven/Gradle
    • Run without a build tool
    • Early support for Python, Typescript, ...
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  83. OpenRewrite
    • Existing recipes
    • Upgrade versions
    • Migrate libraries
    • Fix static analysis issues
    @MaritvanDijk77
    https://docs.openrewrite.org/running-recipes/popular-recipe-guides

    View Slide

  84. OpenRewrite
    • Existing recipes
    • Find by topic
    @MaritvanDijk77
    https://docs.openrewrite.org/reference/recipes

    View Slide

  85. OpenRewrite
    • Existing recipes
    • Can author your own recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  86. OpenRewrite
    @MaritvanDijk77
    https://www.youtube.com/watch?v=jOFfCAleUI8

    View Slide

  87. Conclusion
    •(Re)evaluate dependencies carefully
    •Automate checks & updates
    •Stay safe!
    @MaritvanDijk77

    View Slide

  88. Slides & More
    https://maritvandijk.com/presentations/keep-your-dependencies-in-check/
    @MaritvanDijk77

    View Slide