Keep your dependencies in check

Keep your dependencies in check
JCON - June 20th, 2023
https://maritvandijk.com/ @MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

Dec. 2021
@MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

March 2022
@MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

@MaritvanDijk77
Do we

need

this
dependency?

View Slide

Selecting dependencies
@MaritvanDijk77

View Slide

@MaritvanDijk77
https://xkcd.com/2347/

View Slide

@MaritvanDijk77

View Slide

Selecting dependencies @MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

@MaritvanDijk77
https://www.sonatype.com/resources/log4j-vulnerability-resource-center

View Slide

@MaritvanDijk77
Find information

View Slide

Dependency information
@MaritvanDijk77
https://search.maven.org/

View Slide

@MaritvanDijk77

View Slide

@MaritvanDijk77
https://package-search.jetbrains.com/

View Slide

@MaritvanDijk77
https://github.com/

View Slide

@MaritvanDijk77
https://maritvandijk.com/presentations/collaborating-on-open-source-software/

View Slide

No dependencies
@MaritvanDijk77
Maintain dependencies

View Slide

Maven
• Overview of dependencies: `mvn dependency:tree`
@MaritvanDijk77

View Slide

Maven
• Check for updates: `mvn versions:display-dependency-updates`
@MaritvanDijk77

View Slide

Maven
• Analyze dependencies: `mvn dependency:analyze`
@MaritvanDijk77

View Slide

Gradle
• Overview of dependencies: `./gradlew dependencies`
@MaritvanDijk77

View Slide

Gradle
• Check for updates:

• Add plugin, e.g. gradle-versions-plugin

• Run `./gradlew dependencyUpdates`
@MaritvanDijk77
https://github.com/ben-manes/gradle-versions-plugin

View Slide

Gradle
• Analyze dependencies

• Add plugin (e.g. nebula)
@MaritvanDijk77
https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

View Slide

Gradle
• Analyze dependencies

• Add plugin (e.g. nebula)

• Run `./gradlew fixGradleLint`
@MaritvanDijk77
https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule

View Slide

IntelliJ IDEA: View Dependencies
@MaritvanDijk77

View Slide

@MaritvanDijk77
https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

View Slide

@MaritvanDijk77
https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

View Slide

IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

View Slide

IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

View Slide

IntelliJ IDEA
• Package Search: Add dependency
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-search.html

View Slide

IntelliJ IDEA
@MaritvanDijk77

View Slide

IntelliJ IDEA: Update dependencies
• Context Actions (⌥ ⏎ or Alt+Enter)
@MaritvanDijk77

View Slide

• Hover
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-analysis.html

View Slide

@MaritvanDijk77

View Slide

IntelliJ IDEA
• Dependencies tool window
@MaritvanDijk77

View Slide

IntelliJ IDEA: Dependency tool window
@MaritvanDijk77

View Slide

IntelliJ IDEA
• Dependencies tool window (search)
@MaritvanDijk77

View Slide

IntelliJ IDEA
https://www.jetbrains.com/help/idea/package-analysis.html @MaritvanDijk77

View Slide

IntelliJ IDEA

View Slide

IntelliJ IDEA
@MaritvanDijk77
https://www.youtube.com/@intellijidea

View Slide

Pros & Cons
+ Check dependencies while working on the project

- Check out each individual project

- Apply & verify updates
@MaritvanDijk77

View Slide

Software Composition Analysis (SCA)
• Scan all repos (and containers)

• Overview
@MaritvanDijk77

View Slide

SCA: Pros & Cons
+ No need to check out repos individually

- I have to check the dashboard

- Apply & verify updates

@MaritvanDijk77

View Slide

@MaritvanDijk77
Bots
• Dependabot

• Renovate

• Snyk Open Source

View Slide

Dependabot
• GitHub native

• Features:

• Alerts

• Security updates

• Version updates
@MaritvanDijk77

View Slide

Dependabot enable
@MaritvanDijk77

View Slide

Dependabot alerts
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

View Slide

Dependabot alerts
@MaritvanDijk77

View Slide

Dependabot security updates
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

View Slide

Dependabot version updates
• Add dependabot.yml

• Specify:

• Package manager & location of manifest file

• Schedule interval (daily, weekly, or monthly)

• Optional:

• Max. number of PR's (default 5)

• Rebase strategy

• Etc
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

View Slide

Dependabot: Supported platforms
• GitHub native

• Can run on GitLab too
@MaritvanDijk77

View Slide

Renovate
• Available via GitHub App

• Features:


• Version updates

• Project dashboard
@MaritvanDijk77

View Slide

Renovate enable
@MaritvanDijk77
https://github.com/apps/renovate

View Slide

Renovate enable - 3
@MaritvanDijk77

View Slide

Renovate onboarding PR
@MaritvanDijk77

View Slide

Renovate configuration
• All repos or selected repos

• Config file is created for you

• Scheduling

• Max. number of PR's / concurrent branches

• Rule based auto merge

• More options & more fine-grained
@MaritvanDijk77
https://docs.renovatebot.com/configuration-options/

View Slide

Renovate PR
@MaritvanDijk77
https://docs.renovatebot.com/merge-confidence/

View Slide

Renovate Dashboard: Project
@MaritvanDijk77

View Slide

Renovate Dashboard: Jobs
@MaritvanDijk77

View Slide

Renovate: Supported platforms
• GitHub (.com and Enterprise Server)

• GitLab (.com and CE/EE)

• Bitbucket Cloud

• Bitbucket Server

• Azure DevOps

• AWS CodeCommit

• Gitea
@MaritvanDijk77
https://docs.renovatebot.com/#supported-platforms

View Slide

Snyk Open Source
• Available via Snyk

• Features:


• Version updates

• Test for new vulnerabilities (on PRs)

• Test for vulnerabilities in source code

• Dashboards
@MaritvanDijk77
https://snyk.io/

View Slide

Snyk enable
@MaritvanDijk77
https://snyk.io/

View Slide

Snyk enable - 2
@MaritvanDijk77

View Slide

Snyk enable - 3
@MaritvanDijk77

View Slide

Snyk enable - 4
@MaritvanDijk77

View Slide

Snyk PR
@MaritvanDijk77

View Slide

Snyk PR Check
@MaritvanDijk77

View Slide

Snyk dashboard
@MaritvanDijk77

View Slide

Snyk Open Source Configuration
• Frequency (daily, weekly, never)

• Enable/disable: New and/or known vulnerabilities

• Enable/disable PR's for single project
@MaritvanDijk77
https://docs.snyk.io/products/snyk-open-source/open-source-basics

View Slide

Snyk Open Source: Supported Platforms
• GitHub

• GitHub Enterprise

• GitHub Read-only projects

• Bitbucket Cloud Personal Access Token (Legacy)

• Bitbucket Cloud App

• Bitbucket Data Center/Server

• GitLab

• Azure Repos
@MaritvanDijk77
https://docs.snyk.io/integrations/git-repository-scm-integrations

View Slide

@MaritvanDijk77
Bots
• Dependabot

• Renovate

• Snyk Open Source

View Slide

Bots: Pros & Cons
+ Relatively easy to install

+ Automatic PR's

- Can create "noise"

- Manage PRs (merge & deploy)

- No code changes (if needed)
@MaritvanDijk77

View Slide

Migration tools
@MaritvanDijk77

View Slide

IntelliJ IDEA
• Refactor > Migrate Packages and Classes
@MaritvanDijk77
https://www.jetbrains.com/help/idea/migrate.html

View Slide

IntelliJ IDEA
• Create New Migration
@MaritvanDijk77

View Slide

IntelliJ IDEA
@MaritvanDijk77
https://www.youtube.com/@intellijidea

View Slide

Error Prone
• Static analysis tool for Java to catch common programming mistakes
at compile-time.

• Maven, Gradle, etc.

• IntelliJ IDEA / Eclipse plugin, Command line

• Bug patterns

• Report or fix

• Custom checks

• Includes Refaster: refactor code using before-and-after templates
@MaritvanDijk77
https://errorprone.info/

View Slide

Error Prone
@MaritvanDijk77
https://www.youtube.com/watch?v=NPuLeoIzIR0

View Slide

Error Prone Support
@MaritvanDijk77
https://error-prone.picnic.tech/

View Slide

OpenRewrite
• Source code refactoring for framework/API migrations, vulnerability
patches, and static code analysis fixes

• Early focus on Java

• Kotlin - early support, actively developed

• Groovy - focus on Gradle dependency manipulation, works on most
Groovy source code too

• Python

• JavaScript - in development, not released yet
@MaritvanDijk77
https://docs.openrewrite.org/

View Slide

OpenRewrite
• Existing recipes
@MaritvanDijk77
https://docs.openrewrite.org/running-recipes/popular-recipe-guides

View Slide

OpenRewrite
@MaritvanDijk77
https://docs.openrewrite.org/reference/recipes

View Slide

OpenRewrite

• Can author recipes
@MaritvanDijk77
https://docs.openrewrite.org/

View Slide

OpenRewrite
@MaritvanDijk77
https://sched.co/1K3zc

View Slide

Conclusion
•(Re)evaluate dependencies carefully

•Automate checks & updates

•Stay safe!
@MaritvanDijk77

View Slide

Slides & More
https://maritvandijk.com/presentations/keep-your-dependencies-in-check/

@MaritvanDijk77

View Slide

Keep your dependencies in check

Keep your dependencies in check

Marit van Dijk

More Decks by Marit van Dijk

Other Decks in Programming

Featured

Transcript