$30 off During Our Annual Pro Sale. View Details »

Keep your dependencies in check

Marit van Dijk
October 24, 2022
Programming
0
160

Keep your dependencies in check

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

October 24, 2022
Tweet

More Decks by Marit van Dijk

See All by Marit van Dijk
Reading code
mlvandijk
0
21
Keep your dependencies in check
mlvandijk
0
14
Reading Code
mlvandijk
0
110
Keep your dependencies in check
mlvandijk
0
9
Keep your dependencies in check
mlvandijk
0
22
Reading Code
mlvandijk
0
130
Reading code
mlvandijk
0
49
Keep your dependencies in check
mlvandijk
0
23
Reading code
mlvandijk
0
97

Other Decks in Programming

See All in Programming
ちょうぜつ本の紹介 (クリーンアーキテクチャとパッケージ原則)
suzukimar
0
270
ニジエチューニング2023-12
nijieinfra
0
170
DIGGLEの分析基盤アーキテクチャ
zakky21
0
220
VimConf 2023 Tiny
skanehira
1
220
GoにおけるCall Graphを用いた 大規模コードベースの影響調査
ffjlabo
0
110
B2B SaaSでSpringSecurityによる Roleを用いたユーザー権限設定の 実装について
rakus_dev
1
180
10年モノのAndroidアプリのコード品質を改善していく、3つの取り組み
okuzawats
0
660
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
58k
Foreign Function & Memory API ( FFM API )を用いたNativeライブラリ呼び出しと既存ライブラリの比較 ( JJUG CCC 2023 Fall )
hiroisojp
1
370
KDDI共同講演:@niftyメール基盤移行プロジェクト - NIFTY Tech Day 2023
niftycorp
0
120
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
190
機械学習ソフトウェアにおけるテスト手法
hitsuji1991
PRO
2
1k

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
How to name files
jennybc
59
87k
Git: the NoSQL Database
bkeepers
PRO
420
62k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
13
5.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
How STYLIGHT went responsive
nonsquared
89
4.5k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740
Debugging Ruby Performance
tmm1
68
11k
Gamification - CAS2011
davidbonilla
75
4.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
4 Signs Your Business is Dying
shpigford
172
21k
The Invisible Side of Design
smashingmag
291
49k

Transcript

  1. Keep your dependencies in check
    GeeCon Prague - October 24th, 2022
    https://maritvandijk.com/ @MaritvanDijk77

    View Slide

  2. @MaritvanDijk77

    View Slide

  3. @MaritvanDijk77

    View Slide

  4. @MaritvanDijk77

    View Slide

  5. @MaritvanDijk77

    View Slide

  6. Dec. 2021
    @MaritvanDijk77

    View Slide

  7. @MaritvanDijk77

    View Slide

  8. @MaritvanDijk77

    View Slide

  9. @MaritvanDijk77

    View Slide

  10. March 2022
    @MaritvanDijk77

    View Slide

  11. @MaritvanDijk77

    View Slide

  12. @MaritvanDijk77

    View Slide

  13. @MaritvanDijk77

    View Slide

  14. @MaritvanDijk77

    View Slide

  15. @MaritvanDijk77
    Do we


    need


    this
    dependency?

    View Slide

  16. Selecting dependencies
    @MaritvanDijk77

    View Slide

  17. Selecting dependencies
    @MaritvanDijk77

    View Slide

  18. @MaritvanDijk77
    https://xkcd.com/2347/

    View Slide

  19. @MaritvanDijk77

    View Slide

  20. Selecting dependencies
    @MaritvanDijk77

    View Slide

  21. Selecting dependencies
    @MaritvanDijk77

    View Slide

  22. Selecting dependencies @MaritvanDijk77

    View Slide

  23. Selecting dependencies
    @MaritvanDijk77

    View Slide

  24. @MaritvanDijk77
    Find information

    View Slide

  25. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/

    View Slide

  26. Dependency information
    @MaritvanDijk77
    https://mvnrepository.com/

    View Slide

  27. Dependency information
    @MaritvanDijk77
    https://github.com/

    View Slide

  28. Dependency information
    @MaritvanDijk77
    https://github.com/

    View Slide

  29. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  30. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  31. Dependency information
    @MaritvanDijk77
    https://package-search.jetbrains.com/

    View Slide

  32. No dependencies
    @MaritvanDijk77
    Maintain dependencies

    View Slide

  33. Maven
    • Overview of dependencies: `mvn dependency:tree`
    @MaritvanDijk77

    View Slide

  34. Maven
    • Check for updates: `mvn versions:display-dependency-updates`
    @MaritvanDijk77

    View Slide

  35. Maven
    • Analyse dependencies: `mvn dependency:analyze`
    @MaritvanDijk77

    View Slide

  36. Gradle
    • Overview of dependencies: `./gradlew dependencies`
    @MaritvanDijk77

    View Slide

  37. Gradle
    • Add plugin, e.g. gradle-versions-plugin


    • Run `./gradlew dependencyUpdates`
    @MaritvanDijk77

    View Slide

  38. IntelliJ IDEA
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  39. IntelliJ IDEA
    • Alt + Enter
    @MaritvanDijk77

    View Slide

  40. IntelliJ IDEA
    • Package search: Dependencies tab
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  41. IntelliJ IDEA
    • Package search: Dependencies tab
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/package-search.html

    View Slide

  42. IntelliJ IDEA: Ultimate Edition
    @MaritvanDijk77
    • Package checker

    View Slide

  43. Downsides
    - Check out each individual project


    - Apply & verify updates
    @MaritvanDijk77

    View Slide

  44. Software Composition Analysis (SCA)
    • Scan all repos (and containers)


    • Overview
    @MaritvanDijk77

    View Slide

  45. SCA: Pros & Cons
    + No need to check out repos individually


    - I have to check the dashboard
    @MaritvanDijk77

    View Slide

  46. @MaritvanDijk77
    Bots
    • Dependabot


    • Renovate


    • Snyk Open Source

    View Slide

  47. Dependabot
    • GitHub native


    • Includes:


    • Dependabot alerts


    • Dependabot security updates


    • Dependabot version updates
    @MaritvanDijk77

    View Slide

  48. Dependabot enable
    @MaritvanDijk77

    View Slide

  49. Dependabot alerts
    @MaritvanDijk77

    View Slide

  50. Dependabot security updates
    @MaritvanDijk77

    View Slide

  51. Dependabot version updates
    • Add dependabot.yml (impacts security updates)


    • Package manager & directory manifest file


    • Frequency (daily, weekly, or monthly)


    • Schedule (date, time, timezone)


    • Max. number of PR's (default 5)


    • Some details to manage PR's
    @MaritvanDijk77
    https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

    View Slide

  52. Renovate
    • By Mend


    • Available via GitHub App
    @MaritvanDijk77

    View Slide

  53. Renovate enable
    @MaritvanDijk77
    https://github.com/apps/renovate

    View Slide

  54. Renovate enable
    @MaritvanDijk77

    View Slide

  55. Renovate enable
    @MaritvanDijk77

    View Slide

  56. Renovate configuration
    • All repos or selected repos


    • Config file is created for you


    • Max. number of PR's / concurrent branches


    • More options


    • More fine-grained
    @MaritvanDijk77
    https://docs.renovatebot.com/configuration-options/

    View Slide

  57. Renovate PR
    @MaritvanDijk77
    https://docs.renovatebot.com/merge-confidence/

    View Slide

  58. Renovate Dashboard
    @MaritvanDijk77

    View Slide

  59. Snyk
    • Products:


    • Snyk Open Source


    • Snyk Code


    • Snyk Container


    • Snyk Infrastructure as Code


    • Snyk Cloud
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  60. Snyk enable
    @MaritvanDijk77
    https://snyk.io/

    View Slide

  61. Snyk enable
    @MaritvanDijk77

    View Slide

  62. Snyk enable
    @MaritvanDijk77

    View Slide

  63. Snyk enable
    @MaritvanDijk77

    View Slide

  64. Snyk PR
    @MaritvanDijk77

    View Slide

  65. Snyk PR
    @MaritvanDijk77

    View Slide

  66. Snyk PR Check
    @MaritvanDijk77

    View Slide

  67. Snyk dashboard
    @MaritvanDijk77

    View Slide

  68. Snyk dashboard
    @MaritvanDijk77

    View Slide

  69. Snyk Open Source Configuration
    • Frequency (daily, weekly, never)


    • Enable/disable: New and/or known vulnerabilities


    • Enable/disable PRs for single project
    @MaritvanDijk77
    https://docs.snyk.io/products/snyk-open-source/open-source-basics

    View Slide

  70. Bots: Pros & Cons
    + Relatively easy to install


    + Automatic PRs


    - Can create "noise"


    - Manage PRs (merge & deploy)


    - No code changes (if needed)
    @MaritvanDijk77

    View Slide

  71. Migration tools
    @MaritvanDijk77

    View Slide

  72. IntelliJ IDEA
    • Migrate Packages and Classes
    @MaritvanDijk77
    https://www.jetbrains.com/help/idea/migrate.html

    View Slide

  73. IntelliJ IDEA
    • Create New Migration
    @MaritvanDijk77

    View Slide

  74. Error Prone
    • Static analysis tool for Java that catches common programming
    mistakes at compile-time.


    • Maven, Gradle, etc.


    • IntelliJ IDEA / Eclipse plugin, Command line


    • Bug patterns


    • Report or fix


    • Custom checks


    • Includes Refaster: refactor code using before-and-after templates
    @MaritvanDijk77
    https://errorprone.info/

    View Slide

  75. Error Prone
    @MaritvanDijk77
    https://www.youtube.com/watch?v=NPuLeoIzIR0

    View Slide

  76. Error Prone Support
    @MaritvanDijk77
    https://error-prone.picnic.tech/

    View Slide

  77. OpenRewrite
    • Source code refactoring for framework migrations, vulnerability
    patches, and API migrations


    • Early focus on Java


    • Maven & Gradle


    • Existing recipes


    • Can author recipes
    @MaritvanDijk77
    https://docs.openrewrite.org/

    View Slide

  78. Quickstart: Maven and Gradle
    • Add plugin:
    @MaritvanDijk77
    https://docs.openrewrite.org/getting-started/getting-started

    View Slide

  79. @MaritvanDijk77
    https://docs.openrewrite.org/getting-started/getting-started
    • Discover: `./mvnw rewrite:discover`

    View Slide

  80. Quickstart: Maven and Gradle
    • Configure plugin:
    @MaritvanDijk77
    https://docs.openrewrite.org/getting-started/getting-started

    View Slide

  81. @MaritvanDijk77
    https://docs.openrewrite.org/getting-started/getting-started
    • Run: `./mvnw rewrite:run`

    View Slide

  82. Quickstart: Maven and Gradle
    @MaritvanDijk77
    https://docs.openrewrite.org/getting-started/getting-started

    View Slide

  83. OpenRewrite
    @MaritvanDijk77
    https://www.youtube.com/watch?v=7fslFKkCkxg

    View Slide

  84. Conclusion
    •(Re)evaluate dependencies carefully


    •Automate checks & updates


    •Stay safe!
    @MaritvanDijk77

    View Slide

  85. Slides
    https://maritvandijk.com/presentations/keep-your-dependencies-in-check/


    @MaritvanDijk77

    View Slide