Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep_your_dependencies_in_check_BrabantJUG.pdf

Marit van Dijk
March 07, 2023
0
26

 Keep_your_dependencies_in_check_BrabantJUG.pdf

Marit van Dijk

March 07, 2023
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading Code (BuildStuff)
mlvandijk
0
6
Will AI Assistant Make Developers Redundant (Devoxx)
mlvandijk
0
70
Reading code (Dev2Next)
mlvandijk
0
26
Putting the AI in JetBrAIns
mlvandijk
0
39
Reading Code (JUG Noord)
mlvandijk
0
24
Reading Code (JavaZone)
mlvandijk
0
13
Code Reading Workshop (SoCraTes)
mlvandijk
1
130
Code Reading workshop - Software Cornwall
mlvandijk
1
29
Reading Code (Picnic)
mlvandijk
1
37

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
65
4.4k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Become a Pro
speakerdeck
PRO
25
5k
Scaling GitHub
holman
458
140k
Typedesign – Prime Four
hannesfritz
40
2.4k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Unsuck your backbone
ammeep
668
57k
How to train your dragon (web standard)
notwaldorf
88
5.7k

Transcript

  1. Keep your dependencies in check BrabantJUG - March 7th, 2023

    https://maritvandijk.com/ @MaritvanDijk77

  2. @MaritvanDijk77

  3. @MaritvanDijk77

  4. @MaritvanDijk77

  5. @MaritvanDijk77

  6. Dec. 2021 @MaritvanDijk77

  7. @MaritvanDijk77

  8. @MaritvanDijk77

  9. @MaritvanDijk77

  10. March 2022 @MaritvanDijk77

  11. @MaritvanDijk77

  12. @MaritvanDijk77

  13. @MaritvanDijk77

  14. @MaritvanDijk77

  15. @MaritvanDijk77 Do we need this dependency?

  16. Selecting dependencies @MaritvanDijk77

  17. Selecting dependencies @MaritvanDijk77

  18. @MaritvanDijk77 https://xkcd.com/2347/

  19. Selecting dependencies @MaritvanDijk77

  20. Selecting dependencies @MaritvanDijk77

  21. Selecting dependencies @MaritvanDijk77

  22. Selecting dependencies @MaritvanDijk77

  23. @MaritvanDijk77 Find information

  24. Dependency information @MaritvanDijk77 https://search.maven.org/

  25. Dependency information @MaritvanDijk77 https://search.maven.org/

  26. Dependency information @MaritvanDijk77

  27. Dependency information @MaritvanDijk77

  28. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  29. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  30. Dependency information @MaritvanDijk77 https://package-search.jetbrains.com/

  31. Dependency information @MaritvanDijk77 https://github.com/

  32. Dependency information @MaritvanDijk77 https://github.com/

  33. No dependencies @MaritvanDijk77 Maintain dependencies

  34. Maven • Overview of dependencies: `mvn dependency:tree` @MaritvanDijk77

  35. Maven • Check for updates: `mvn versions:display-dependency-updates` @MaritvanDijk77

  36. Maven • Analyze dependencies: `mvn dependency:analyze` @MaritvanDijk77

  37. Gradle • Overview of dependencies: `./gradlew dependencies` @MaritvanDijk77

  38. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin

  39. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

  40. IntelliJ IDEA: View Dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

  41. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  42. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

  43. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  44. IntelliJ IDEA: Dependency Analyzer @MaritvanDijk77 https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

  45. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  46. IntelliJ IDEA • Package Search: Add dependency @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  47. IntelliJ IDEA: Update dependencies • Intention actions (⌥ ⏎ or

    Alt+Enter) or hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  48. IntelliJ IDEA: Update dependencies @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  49. IntelliJ IDEA • Intention actions (⌥ ⏎ or Alt+Enter) or

    hover @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  50. IntelliJ IDEA • Package search: Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  51. IntelliJ IDEA • Package search: Dependencies tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  52. IntelliJ IDEA: Dependency tool window @MaritvanDijk77 https://www.jetbrains.com/help/idea/package-search.html

  53. IntelliJ IDEA Ultimate @MaritvanDijk77 • Package Checker

  54. IntelliJ IDEA Ultimate: Package checker

  55. IntelliJ IDEA Ultimate: Package checker

  56. Downsides - Check out each individual project - Apply &

    verify updates @MaritvanDijk77

  57. Software Composition Analysis (SCA) • Scan all repos (and containers)

    • Overview @MaritvanDijk77

  58. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77

  59. @MaritvanDijk77 Bots • Dependabot • Renovate • Snyk Open Source

  60. Dependabot • GitHub native • Features: • Alerts • Security

    updates • Version updates @MaritvanDijk77

  61. Dependabot enable @MaritvanDijk77

  62. Dependabot alerts @MaritvanDijk77

  63. Dependabot security updates @MaritvanDijk77

  64. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  65. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Project dashboard @MaritvanDijk77

  66. Renovate enable @MaritvanDijk77 https://github.com/apps/renovate

  67. Renovate enable - 2 @MaritvanDijk77

  68. Renovate configuration • All repos or selected repos • Config

    file is created for you • Max. number of PR's / concurrent branches • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/

  69. Renovate PR @MaritvanDijk77 https://docs.renovatebot.com/merge-confidence/

  70. Renovate Dashboard: Project @MaritvanDijk77

  71. Renovate Dashboard: Jobs @MaritvanDijk77

  72. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code • Dashboards @MaritvanDijk77 https://snyk.io/

  73. Snyk enable @MaritvanDijk77 https://snyk.io/

  74. Snyk enable - 2 @MaritvanDijk77

  75. Snyk enable - 3 @MaritvanDijk77

  76. Snyk enable - 4 @MaritvanDijk77

  77. Snyk PR @MaritvanDijk77

  78. Snyk PR @MaritvanDijk77

  79. Snyk PR Check @MaritvanDijk77

  80. Snyk dashboard @MaritvanDijk77

  81. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics

  82. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77

  83. Migration tools @MaritvanDijk77

  84. IntelliJ IDEA • Migrate Packages and Classes @MaritvanDijk77 https://www.jetbrains.com/help/idea/migrate.html

  85. IntelliJ IDEA • Create New Migration @MaritvanDijk77

  86. IntelliJ IDEA • Create New Migration @MaritvanDijk77

  87. IntelliJ IDEA @MaritvanDijk77 https://www.youtube.com/@intellijidea

  88. Error Prone • Static analysis tool for Java that catches

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/

  89. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations • Early focus on Java • Maven & Gradle • Existing recipes • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/

  90. Quickstart: Maven and Gradle • Add plugin: @MaritvanDijk77 https://docs.openrewrite.org/getting-started/getting-started

  91. @MaritvanDijk77 https://docs.openrewrite.org/getting-started/getting-started • Discover: `./mvnw rewrite:discover`

  92. Quickstart: Maven and Gradle • Configure plugin: @MaritvanDijk77 https://docs.openrewrite.org/getting-started/getting-started

  93. @MaritvanDijk77 https://docs.openrewrite.org/getting-started/getting-started • Run: `./mvnw rewrite:run`

  94. Quickstart: Maven and Gradle @MaritvanDijk77 https://docs.openrewrite.org/getting-started/getting-started

  95. Quickstart: Maven and Gradle @MaritvanDijk77 https://docs.openrewrite.org/getting-started/getting-started

  96. Conclusion •(Re)evaluate dependencies carefully •Automate checks & updates •Stay safe!

    @MaritvanDijk77

  97. Slides & More https://maritvandijk.com/presentations/keep-your-dependencies-in-check/ @MaritvanDijk77