Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your dependencies in check

Marit van Dijk
May 10, 2023
Programming
0
39

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

May 10, 2023
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Keep_your_dependencies_in_check_Volksbank.pdf
mlvandijk
0
5
Reading Code (DevNexus)
mlvandijk
0
49
Reading code - Voxxed Days Bucharest
mlvandijk
0
24
Reading Code (UtrechtJUG)
mlvandijk
0
18
Reading Code (JFokus)
mlvandijk
0
24
Keep your dependencies in check
mlvandijk
0
38
Reading code
mlvandijk
0
340
Keep your dependencies in check
mlvandijk
0
27
Reading Code
mlvandijk
0
150

Other Decks in Programming

See All in Programming
CircleCIを活用して AWSへの継続的デリバリーを 実践する
coconala_engineer
1
230
Ruby Function Composition
bkuhlmann
1
330
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
350
Javaエンジニアのための Nodejs/Nuxt3入門
hidekatsu_izuno
0
280
入門 AWS Amplify Gen2 / Introduction to AWS Amplify Gen2
genkiogasawara
1
310
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
210
せっかくモデル図描くのなら、 嬉しいことが多い方がいいよね!
kuboaki
1
3.1k
CQRS/ES avec Symfony, c’est (trop) bien !
jeremyfreeagent
1
630
Elm 0.19.0 Changes
bkuhlmann
0
480
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
340
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
230
OpenTelemetry のサービスという概念について
azukiazusa1
2
1.1k

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
324
20k
The Cult of Friendly URLs
andyhume
74
5.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Building Applications with DynamoDB
mza
88
5.6k
Building Adaptive Systems
keathley
30
1.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
321
20k
The Language of Interfaces
destraynor
151
23k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Building an army of robots
kneath
300
41k

Transcript

  1. Keep your dependencies in check DevOxx UK - May 10-12,

    2023 https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77

  13. @MaritvanDijk77

  14. @MaritvanDijk77

  15. @MaritvanDijk77 Do we need this dependency?

  16. Selecting dependencies @MaritvanDijk77

  17. Selecting dependencies @MaritvanDijk77

  18. @MaritvanDijk77 https://xkcd.com/2347/

  19. Selecting dependencies @MaritvanDijk77

  20. Selecting dependencies @MaritvanDijk77

  21. Selecting dependencies @MaritvanDijk77

  22. Selecting dependencies @MaritvanDijk77

  23. @MaritvanDijk77 Find information

  24. Dependency information @MaritvanDijk77 https://search.maven.org/

  25. Dependency information @MaritvanDijk77 https://search.maven.org/

  26. Dependency information @MaritvanDijk77

  27. Dependency information @MaritvanDijk77

  28. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  29. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  30. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  31. Dependency information @MaritvanDijk77 https://github.com/

  32. Dependency information @MaritvanDijk77 https://github.com/

  33. Dependency information @MaritvanDijk77 https://github.com/

  34. No dependencies @MaritvanDijk77 Maintain dependencies

  35. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  36. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  37. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  38. Maven • Analyze dependencies: `mvn dependency:analyze` @MaritvanDijk77

  39. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  40. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin

  41. Gradle • Analyze dependencies • Add plugin (e.g. nebula) @MaritvanDijk77

    https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

  42. IntelliJ IDEA: View Dependencies @MaritvanDijk77

  43. IntelliJ IDEA: View Dependencies @MaritvanDijk77

  44. IntelliJ IDEA: View Dependencies @MaritvanDijk77

  45. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

  46. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

  47. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  48. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  49. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  50. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  51. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  52. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  53. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  54. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  55. IntelliJ IDEA @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  56. IntelliJ IDEA: Update dependencies • Context Actions (⌥ ⏎ or

    Alt+Enter) @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  57. IntelliJ IDEA: Update dependencies • Hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  58. IntelliJ IDEA: Update dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  59. IntelliJ IDEA • Hover (or Context Actions (⌥ ⏎ or

    Alt+Enter) @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  60. IntelliJ IDEA • Package search: Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  61. IntelliJ IDEA • Package search: Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  62. IntelliJ IDEA: Dependency tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  63. IntelliJ IDEA Ultimate @MaritvanDijk77 • Package Checker https://www.jetbrains.com/help/idea/package-analysis.html

  64. IntelliJ IDEA Ultimate: Package checker

  65. IntelliJ IDEA Ultimate: Package checker

  66. IntelliJ IDEA @MaritvanDijk77 https://www.youtube.com/@intellijidea

  67. Pros & Cons + Check dependencies while working on the

    project - Check out each individual project - Apply & verify updates @MaritvanDijk77

  68. Software Composition Analysis (SCA) • Scan all repos (and containers)

    • Overview @MaritvanDijk77

  69. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77

  70. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  71. Dependabot • GitHub native • Features: • Alerts • Security

    updates • Version updates @MaritvanDijk77

  72. Dependabot enable @MaritvanDijk77

  73. Dependabot alerts @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

  74. Dependabot alerts @MaritvanDijk77

  75. Dependabot security updates @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

  76. Dependabot version updates • Add dependabot.yml • Specify: • Package

    manager & location of manifest file • Schedule interval (daily, weekly, or monthly) • Optional: • Max. number of PR's (default 5) • Rebase strategy • Etc @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

  77. Dependabot: Supported platforms • GitHub native • Can run on

    GitLab too @MaritvanDijk77

  78. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Project dashboard @MaritvanDijk77

  79. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  80. Renovate enable - 3 @MaritvanDijk77

  81. Renovate onboarding PR @MaritvanDijk77

  82. Renovate configuration • All repos or selected repos • Config

    file is created for you • Scheduling • Max. number of PR's / concurrent branches • Rule based auto merge • More options & more fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  83. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  84. Renovate Dashboard: Project @MaritvanDijk77

  85. Renovate Dashboard: Jobs @MaritvanDijk77

  86. Renovate: Supported platforms • GitHub (.com and Enterprise Server) •

    GitLab (.com and CE/EE) • Bitbucket Cloud • Bitbucket Server • Azure DevOps • AWS CodeCommit • Gitea @MaritvanDijk77 https://docs.renovatebot.com/#supported-platforms

  87. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code • Dashboards @MaritvanDijk77 https://snyk.io/

  88. Snyk enable @MaritvanDijk77 https://snyk.io/

  89. Snyk enable - 2 @MaritvanDijk77

  90. Snyk enable - 3 @MaritvanDijk77

  91. Snyk enable - 4 @MaritvanDijk77

  92. Snyk PR @MaritvanDijk77

  93. Snyk PR @MaritvanDijk77

  94. Snyk PR Check @MaritvanDijk77

  95. Snyk dashboard @MaritvanDijk77

  96. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  97. Snyk Open Source: Supported Platforms • GitHub • GitHub Enterprise

    • GitHub Read-only projects • Bitbucket Cloud Personal Access Token (Legacy) • Bitbucket Cloud App • Bitbucket Data Center/Server • GitLab • Azure Repos @MaritvanDijk77 https://docs.snyk.io/integrations/git-repository-scm-integrations

  98. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  99. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  100. Migration tools @MaritvanDijk77

  101. IntelliJ IDEA • Migrate Packages and Classes @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

  102. IntelliJ IDEA • Create New Migration @MaritvanDijk77

  103. IntelliJ IDEA • Create New Migration @MaritvanDijk77

  104. IntelliJ IDEA @MaritvanDijk77 https://www.youtube.com/@intellijidea

  105. Error Prone • Static analysis tool for Java that catches

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

  106. Error Prone @MaritvanDijk77 https://www.youtube.com/watch?v=NPuLeoIzIR0

  107. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations • Early focus on Java • Kotlin - early support, actively developed • Groovy - focus on Gradle dependency manipulation, works on most Groovy source code too • Python • JavaScript - in development, not released yet @MaritvanDijk77 https://docs.openrewrite.org/

  108. OpenRewrite • Existing recipes @MaritvanDijk77 https://docs.openrewrite.org/running-recipes/popular-recipe-guides

  109. OpenRewrite • Existing recipes @MaritvanDijk77 https://docs.openrewrite.org/reference/recipes

  110. OpenRewrite • Existing recipes • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

  111. More on OpenRewrite @ DevOxxUK @MaritvanDijk77

  112. Conclusion •(Re)evaluate dependencies carefully •Automate checks & updates •Stay safe!

    @MaritvanDijk77

  113. Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77