Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep_your_dependencies_in_check_BrabantJUG.pdf

Marit van Dijk
March 07, 2023
20

 Keep_your_dependencies_in_check_BrabantJUG.pdf

Marit van Dijk

March 07, 2023
Tweet

Transcript

  1. Keep your dependencies in check BrabantJUG - March 7th, 2023

    https://maritvandijk.com/ @MaritvanDijk77
  2. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin
  3. IntelliJ IDEA: Update dependencies • Intention actions (⌥ ⏎ or

    Alt+Enter) or hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html
  4. IntelliJ IDEA • Intention actions (⌥ ⏎ or Alt+Enter) or

    hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html
  5. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77
  6. Dependabot • GitHub native • Features: • Alerts • Security

    updates • Version updates @MaritvanDijk77
  7. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
  8. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Project dashboard @MaritvanDijk77
  9. Renovate configuration • All repos or selected repos • Config

    file is created for you • Max. number of PR's / concurrent branches • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/
  10. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code • Dashboards @MaritvanDijk77 https://snyk.io/
  11. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics
  12. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77
  13. Error Prone • Static analysis tool for Java that catches

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/
  14. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations • Early focus on Java • Maven & Gradle • Existing recipes • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/