Keep_your_dependencies_in_check_BrabantJUG.pdf

Keep your dependencies in check
BrabantJUG - March 7th, 2023
https://maritvandijk.com/ @MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

Dec. 2021
@MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

March 2022
@MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

@MaritvanDijk77
Do we

need

this
dependency?

View Slide

Selecting dependencies
@MaritvanDijk77

View Slide

@MaritvanDijk77
https://xkcd.com/2347/

View Slide

@MaritvanDijk77

View Slide

Selecting dependencies @MaritvanDijk77

View Slide

@MaritvanDijk77

View Slide

@MaritvanDijk77
Find information

View Slide

Dependency information
@MaritvanDijk77
https://search.maven.org/

View Slide

@MaritvanDijk77

View Slide

@MaritvanDijk77
https://package-search.jetbrains.com/

View Slide

@MaritvanDijk77
https://github.com/

View Slide

No dependencies
@MaritvanDijk77
Maintain dependencies

View Slide

Maven
• Overview of dependencies: `mvn dependency:tree`
@MaritvanDijk77

View Slide

Maven
• Check for updates: `mvn versions:display-dependency-updates`
@MaritvanDijk77

View Slide

Maven
• Analyze dependencies: `mvn dependency:analyze`
@MaritvanDijk77

View Slide

Gradle
• Overview of dependencies: `./gradlew dependencies`
@MaritvanDijk77

View Slide

Gradle
• Add plugin, e.g. gradle-versions-plugin

• Run `./gradlew dependencyUpdates`
@MaritvanDijk77
https://github.com/ben-manes/gradle-versions-plugin

View Slide

IntelliJ IDEA: View Dependencies
@MaritvanDijk77
https://www.jetbrains.com/help/idea/maven-projects-tool-window.html

View Slide

IntelliJ IDEA: View Dependencies
@MaritvanDijk77
https://www.jetbrains.com/help/idea/jetgradle-tool-window.html

View Slide

IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-maven-dependencies.html#dependency_analyzer

View Slide

IntelliJ IDEA: Dependency Analyzer
@MaritvanDijk77
https://www.jetbrains.com/help/idea/work-with-gradle-dependency-diagram.html#dependency_analyzer

View Slide

IntelliJ IDEA
• Package Search: Add dependency
@MaritvanDijk77
https://www.jetbrains.com/help/idea/package-search.html

View Slide

IntelliJ IDEA: Update dependencies
• Intention actions (⌥ ⏎ or Alt+Enter) or hover
@MaritvanDijk77

View Slide

IntelliJ IDEA: Update dependencies
@MaritvanDijk77

View Slide

IntelliJ IDEA
• Intention actions (⌥ ⏎ or Alt+Enter) or hover
@MaritvanDijk77

View Slide

IntelliJ IDEA
• Package search: Dependencies tool window
@MaritvanDijk77

View Slide

IntelliJ IDEA: Dependency tool window
@MaritvanDijk77

View Slide

IntelliJ IDEA Ultimate
@MaritvanDijk77
• Package Checker

View Slide

IntelliJ IDEA Ultimate: Package checker

View Slide

Downsides
- Check out each individual project

- Apply & verify updates
@MaritvanDijk77

View Slide

Software Composition Analysis (SCA)
• Scan all repos (and containers)

• Overview
@MaritvanDijk77

View Slide

SCA: Pros & Cons
+ No need to check out repos individually

- I have to check the dashboard

- Apply & verify updates

@MaritvanDijk77

View Slide

@MaritvanDijk77
Bots
• Dependabot

• Renovate

• Snyk Open Source

View Slide

Dependabot
• GitHub native

• Features:

• Alerts

• Security updates

• Version updates
@MaritvanDijk77

View Slide

Dependabot enable
@MaritvanDijk77

View Slide

Dependabot alerts
@MaritvanDijk77

View Slide

Dependabot security updates
@MaritvanDijk77

View Slide

Dependabot version updates
• Add dependabot.yml (impacts security updates)

• Package manager & directory manifest file

• Frequency (daily, weekly, or monthly)

• Schedule (date, time, timezone)

• Max. number of PR's (default 5)

• Some details to manage PR's
@MaritvanDijk77
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

View Slide

Renovate
• Available via GitHub App

• Features:


• Version updates

• Project dashboard
@MaritvanDijk77

View Slide

Renovate enable
@MaritvanDijk77
https://github.com/apps/renovate

View Slide

Renovate enable - 2
@MaritvanDijk77

View Slide

Renovate configuration
• All repos or selected repos

• Config file is created for you

• Max. number of PR's / concurrent branches

• More options

• More fine-grained
@MaritvanDijk77
https://docs.renovatebot.com/configuration-options/

View Slide

Renovate PR
@MaritvanDijk77
https://docs.renovatebot.com/merge-confidence/

View Slide

Renovate Dashboard: Project
@MaritvanDijk77

View Slide

Renovate Dashboard: Jobs
@MaritvanDijk77

View Slide

Snyk Open Source
• Available via Snyk

• Features:


• Version updates

• Test for new vulnerabilities (on PRs)

• Test for vulnerabilities in source code

• Dashboards
@MaritvanDijk77
https://snyk.io/

View Slide

Snyk enable
@MaritvanDijk77
https://snyk.io/

View Slide

Snyk enable - 2
@MaritvanDijk77

View Slide

Snyk enable - 3
@MaritvanDijk77

View Slide

Snyk enable - 4
@MaritvanDijk77

View Slide

Snyk PR
@MaritvanDijk77

View Slide

Snyk PR Check
@MaritvanDijk77

View Slide

Snyk dashboard
@MaritvanDijk77

View Slide

Snyk Open Source Configuration
• Frequency (daily, weekly, never)

• Enable/disable: New and/or known vulnerabilities

• Enable/disable PR's for single project
@MaritvanDijk77
https://docs.snyk.io/products/snyk-open-source/open-source-basics

View Slide

Bots: Pros & Cons
+ Relatively easy to install

+ Automatic PR's

- Can create "noise"

- Manage PRs (merge & deploy)

- No code changes (if needed)
@MaritvanDijk77

View Slide

Migration tools
@MaritvanDijk77

View Slide

IntelliJ IDEA
• Migrate Packages and Classes
@MaritvanDijk77
https://www.jetbrains.com/help/idea/migrate.html

View Slide

IntelliJ IDEA
• Create New Migration
@MaritvanDijk77

View Slide

IntelliJ IDEA
@MaritvanDijk77
https://www.youtube.com/@intellijidea

View Slide

Error Prone
• Static analysis tool for Java that catches common programming
mistakes at compile-time.

• Maven, Gradle, etc.

• IntelliJ IDEA / Eclipse plugin, Command line

• Bug patterns

• Report or fix

• Custom checks

• Includes Refaster: refactor code using before-and-after templates
@MaritvanDijk77
https://errorprone.info/

View Slide

OpenRewrite
• Source code refactoring for framework migrations, vulnerability
patches, and API migrations

• Early focus on Java

• Maven & Gradle

• Existing recipes

• Can author recipes
@MaritvanDijk77
https://docs.openrewrite.org/

View Slide

Quickstart: Maven and Gradle
• Add plugin:
@MaritvanDijk77
https://docs.openrewrite.org/getting-started/getting-started

View Slide

@MaritvanDijk77
• Discover: `./mvnw rewrite:discover`

View Slide

• Configure plugin:
@MaritvanDijk77

View Slide

@MaritvanDijk77
• Run: `./mvnw rewrite:run`

View Slide

@MaritvanDijk77

View Slide

Conclusion
•(Re)evaluate dependencies carefully

•Automate checks & updates

•Stay safe!
@MaritvanDijk77

View Slide

Slides & More
https://maritvandijk.com/presentations/keep-your-dependencies-in-check/

@MaritvanDijk77

View Slide

Keep_your_dependencies_in_check_BrabantJUG.pdf

Keep_your_dependencies_in_check_BrabantJUG.pdf

Marit van Dijk

More Decks by Marit van Dijk

Featured

Transcript