Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
October 25, 2023
Programming
0
57

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

October 25, 2023
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Keep_your_dependencies_in_check_Volksbank.pdf
mlvandijk
0
8
Reading Code (DevNexus)
mlvandijk
0
49
Reading code - Voxxed Days Bucharest
mlvandijk
0
26
Reading Code (UtrechtJUG)
mlvandijk
0
26
Reading Code (JFokus)
mlvandijk
0
24
Keep your dependencies in check
mlvandijk
0
41
Reading code
mlvandijk
0
360
Keep your dependencies in check
mlvandijk
0
27
Reading Code
mlvandijk
0
150

Other Decks in Programming

See All in Programming
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
270
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
390
使ってみよう Azure AI Document Intelligence
kosmosebi
2
330
Site Reliability Engineering for GMO
pyama86
8
1k
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
7
990
Ruby GitHub Packages
bkuhlmann
0
630
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
370
Code Reviews
bkuhlmann
4
890
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
540

Featured

See All Featured
The Mythical Team-Month
searls
216
42k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
In The Pink: A Labor of Love
frogandcode
138
21k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
GitHub's CSS Performance
jonrohan
1025
450k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Designing for humans not robots
tammielis
248
25k
For a Future-Friendly Web
brad_frost
172
9k
Adopting Sorbet at Scale
ufuk
68
8.6k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Typedesign – Prime Four
hannesfritz
36
2.1k

Transcript

  1. Keep your dependencies in check AccentoDev - Oct 24, 2023

    https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77 Do we need this dependency? https://maritvandijk.com/selecting-dependencies/

  13. No dependencies @MaritvanDijk77 Maintain dependencies

  14. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  15. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  16. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  17. Maven • Analyze dependencies: `mvn dependency:analyze` @MaritvanDijk77

  18. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  19. Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin

    • Run `./gradlew dependencyUpdates` @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin

  20. Gradle • Analyze dependencies • Add plugin (e.g. nebula) @MaritvanDijk77

    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

  21. Gradle • Analyze dependencies • Add plugin (e.g. nebula) •

    Run `./gradlew fixGradleLint` @MaritvanDijk77 https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

  22. IntelliJ IDEA: View Dependencies @MaritvanDijk77

  23. IntelliJ IDEA: View Dependencies @MaritvanDijk77

  24. IntelliJ IDEA: View Dependencies @MaritvanDijk77

  25. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

  26. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

  27. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  28. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  29. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  30. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  31. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  32. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  33. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  34. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  35. IntelliJ IDEA: Update dependencies • Context Actions (⌥ ⏎ or

    Alt+Enter) @MaritvanDijk77

  36. IntelliJ IDEA: Update dependencies • Hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-analysis.html

  37. IntelliJ IDEA • Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  38. IntelliJ IDEA • Dependencies tool window (search) @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  39. IntelliJ IDEA https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77

  40. Pros & Cons + Check dependencies while working on the

    project - Check out each individual project - Apply & verify updates @MaritvanDijk77

  41. Software Composition Analysis (SCA) • Scan all repos (and containers)

    • Overview @MaritvanDijk77

  42. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77

  43. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  44. Dependabot • GitHub native • Features: • Alerts • Security

    updates • Version updates @MaritvanDijk77

  45. Dependabot enable @MaritvanDijk77

  46. Dependabot alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

  47. Dependabot alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

  48. Dependabot security updates @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

  49. Dependabot version updates • Add dependabot.yml • Specify: • Package

    manager & location of manifest file • Schedule interval (daily, weekly, or monthly) • Optional: • Max. number of PR's (default 5) • Rebase strategy • Etc @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

  50. Dependabot: Supported platforms • GitHub native • Can run on

    GitLab too @MaritvanDijk77

  51. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Project dashboard @MaritvanDijk77

  52. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  53. Renovate enable - 3 @MaritvanDijk77

  54. Renovate onboarding PR @MaritvanDijk77

  55. Renovate configuration • All repos or selected repos • Config

    file is created for you • Scheduling • Max. number of PR's / concurrent branches • Rule based auto merge • More options & more fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  56. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  57. Renovate Dashboard: Project @MaritvanDijk77

  58. Renovate: Supported platforms • GitHub (.com and Enterprise Server) •

    GitLab (.com and CE/EE) • Bitbucket Cloud • Bitbucket Server • Azure DevOps • AWS CodeCommit • Gitea and Forgejo @MaritvanDijk77 https://docs.renovatebot.com/#supported-platforms

  59. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Dashboards • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code @MaritvanDijk77 https://snyk.io/

  60. Snyk enable @MaritvanDijk77 https://snyk.io/

  61. Snyk enable @MaritvanDijk77 https://snyk.io/

  62. Snyk enable @MaritvanDijk77 https://snyk.io/

  63. Snyk enable @MaritvanDijk77 https://snyk.io/

  64. Snyk enable @MaritvanDijk77 https://snyk.io/

  65. Snyk PR @MaritvanDijk77

  66. Snyk PR @MaritvanDijk77

  67. Snyk PR Check @MaritvanDijk77

  68. Snyk dashboard @MaritvanDijk77

  69. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  70. Snyk Open Source: Supported Platforms • GitHub • GitHub Enterprise

    • GitHub Read-only projects • Bitbucket Cloud Personal Access Token (Legacy) • Bitbucket Cloud App • Bitbucket Data Center/Server • GitLab • Azure (TFS) Repos @MaritvanDijk77 https://docs.snyk.io/integrations/git-repository-scm-integrations

  71. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  72. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - Do NOT update your code (if needed) @MaritvanDijk77

  73. Migration tools @MaritvanDijk77

  74. IntelliJ IDEA • Refactor > Migrate Packages and Classes @MaritvanDijk77

    https://www.jetbrains.com/help/idea/migrate.html

  75. IntelliJ IDEA • Refactor > Migrate Packages and Classes >

    • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

  76. IntelliJ IDEA • Create New Migration @MaritvanDijk77

  77. IntelliJ IDEA • Create New Migration @MaritvanDijk77

  78. Error Prone • Static analysis tool for Java to catch

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

  79. Error Prone @MaritvanDijk77 https://www.youtube.com/watch?v=NPuLeoIzIR0

  80. Error Prone Support @MaritvanDijk77 https://error-prone.picnic.tech/

  81. OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches,

    and static code analysis fixes • Java, Kotlin & Groovy support • Maven/Gradle • Run without a build tool • Early support for Python, Typescript, ... @MaritvanDijk77 https://docs.openrewrite.org/

  82. OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries

    • Fix static analysis issues @MaritvanDijk77 https://docs.openrewrite.org/running-recipes/popular-recipe-guides

  83. OpenRewrite • Existing recipes • Find by topic @MaritvanDijk77 https://docs.openrewrite.org/reference/recipes

  84. OpenRewrite • Existing recipes • Can author your own recipes

    @MaritvanDijk77 https://docs.openrewrite.org/

  85. OpenRewrite @MaritvanDijk77 https://www.youtube.com/watch?v=jOFfCAleUI8

  86. Conclusion •(Re)evaluate dependencies carefully •Automate checks & updates •Stay safe!

    @MaritvanDijk77

  87. Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77