Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Keep your dependencies in check (Devoxx PL)

Keep your dependencies in check (Devoxx PL)

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

June 19, 2024
Tweet

More Decks by Marit van Dijk

Other Decks in Programming

Transcript

  1. Gradle • Check for updates: • Add plugin, e.g. gradle-versions-plugin

    • Run `./gradlew dependencyUpdates` https://github.com/ben-manes/gradle-versions-plugin
  2. Gradle • Analyze dependencies • Add plugin (e.g. nebula) •

    Run `./gradlew fixGradleLint` https://github.com/nebula-plugins/gradle-lint-plugin/wiki/Unused-Dependency-Rule
  3. IntelliJ IDEA • Vulnerable API Usage • Context Actions (⌥

    ⏎ or Alt+Enter) https://www.jetbrains.com/help/idea/package-analysis.html#find-vulnerable-api
  4. Pros & Cons + Check dependencies while working on the

    project - Check out each individual project - Apply & verify updates
  5. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates
  6. Dependabot • GitHub native • Features: • Alerts • Auto-triage

    rules (preset & custom) • Security updates • Version updates https://docs.github.com/en/code-security/dependabot
  7. Dependabot version updates • Add dependabot.yml • Specify: • Package

    manager & location of manifest file • Schedule interval (daily, weekly, or monthly) • Optional: • Max. number of PR's (default 5) • Rebase strategy • Etc https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
  8. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Replace deprecated dependencies with community suggested dependencies • Project dashboard https://docs.renovatebot.com/
  9. Renovate configuration • All repos or selected repos • Config

    file is created for you • Scheduling • Max. number of PR's / concurrent branches • Rule based auto merge • More options & more fine-grained https://docs.renovatebot.com/configuration-options/
  10. Renovate: Supported platforms • GitHub (.com and Enterprise Server) •

    GitLab (.com and CE/EE) • Bitbucket Cloud • Bitbucket Server • Azure DevOps • AWS CodeCommit • Gitea and Forgejo • Gerrit (experimental) https://docs.renovatebot.com/#supported-platforms
  11. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Dashboards • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code https://snyk.io/
  12. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project https://docs.snyk.io/products/snyk-open-source/open-source-basics
  13. Snyk Open Source: Supported Platforms • GitHub Cloud App •

    GitHub Enterprise • GitHub • GitHub Read-only projects • GitLab • Bitbucket Cloud • Bitbucket Cloud (Legacy) • Bitbucket Cloud App • Bitbucket Data Center/Server • Azure Repositories (TFS) https://docs.snyk.io/integrations/git-repository-scm-integrations
  14. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - Do NOT update your code (if needed)
  15. IntelliJ IDEA • Refactor > Migrate Packages and Classes >

    • Java EE to Jakarta EE • JUnit (4.x -> 5.0) • JavaFX (8 -> 9) https://www.jetbrains.com/help/idea/migrate.html
  16. Error Prone • Static analysis tool for Java to catch

    common programming mistakes at compile-time. • Maven, Gradle, Bazel, Ant • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates https://errorprone.info/
  17. OpenRewrite • Source code refactoring for framework/API migrations, vulnerability patches,

    and static code analysis fixes • Java, Kotlin & Groovy support • Run using Maven/Gradle plugin • or from a yaml file https://docs.openrewrite.org/
  18. OpenRewrite • Existing recipes • Upgrade versions • Migrate libraries

    • Fix static analysis issues https://docs.openrewrite.org/running-recipes/popular-recipe-guides
  19. OpenRewrite support in IntelliJ IDEA • From Project tool window

    • New (⌘N or Alt+Insert) https://www.jetbrains.com/help/idea/openrewrite.html